GE ML1200 instruction manual 802.1x network components

access to services that are accessible via that port. The authenticator is responsible for communication with the supplicant and for submitting the information received from the supplicant to a suitable authentication server. This allows the verification of user credentials to determine the consequent port authorization state. It is important to note that the authenticator's functionality is independent of the actual authentication method. It effectively acts as a pass-through for the authentication exchange.

FIGURE 7–1: 802.1x network components

The RADIUS server is the authentication server. The authentication server provides a standard way of providing Authentication, Authorization, and Accounting services to a network. Extensible Authentication Protocol (EAP) is an authentication framework which supports multiple authentication methods. EAP typically runs directly over data link layers such as PPP or IEEE 802, without requiring IP. EAP over LAN (EAPOL) encapsulates EAP packets onto 802 frames with a few extensions to handle 802 characteristics. EAP over RADIUS encapsulates EAP packets onto RADIUS packets for relaying to RADIUS authentication servers.

The details of the 802.1x authentication are as follows.

1.The supplicant (host) is initially blocked from accessing the network. The supplicant wanting to access these services starts with an EAPOL-Start frame.

2.The authenticator (MultiLink ML1200 Managed Field Switch), upon receiving an EAPOL-start frame, sends a response with an EAP-Request/Identity frame back to the supplicant. This will inform the supplicant to provide its identity.

3.The supplicant then sends back its own identification using an EAP-Response/ Identity frame to the authenticator (MultiLink ML1200 Managed Field Switch). The authenticator then relays this to the authentication server by encapsulating the EAP frame on a RADIUS-Access-Request packet.

4.The RADIUS server will then send the authenticator a RADIUS-Access- Challenge packet.

5.The authenticator (MultiLink ML1200 Managed Field Switch) will relay this challenge to the supplicant using an EAP-Request frame. This will request the supplicant to pass its credentials for authentication.

6.The supplicant will send its credentials using an EAP-Response packet.

7.The authenticator will relay using a RADIUS-Access-Request packet.

8.If the supplicant's credentials are valid, RADIUS-Access-Accept packet is sent to the authenticator.

9.The authenticator will then relay this on as an EAP-Success and provides access to the network.