HP Access Control Client Software manual 802.1X

N o t e

The 802.1X supplicant is usually running on an endpoint, as described in these

steps. However, network infrastructure devices can also have supplicants,

enabling them to authenticate to the network. For example, you might impose

802.1X authentication on all switch ports, even those to which APs connect.

You would then configure the 802.1X supplicants on legitimate APs so that

they could authenticate to the network and be granted access. Rogue APs, on

the other hand, would be denied access.

2. The PEP shuts down the connection to all traffic except EAP authentica-

tion messages. It sends an EAP challenge to the endpoint’s 802.1X suppli-

cant.

3. An 802.1X supplicant returns an EAP message that typically contains its

username. The PEP proxies the supplicant’s response to the authentica-

tion server and the server’s reply back to the supplicant, thereby creating

a logical connection between the supplicant and the authentication server.

4. Within this logical data tunnel, the supplicant and the authentication

server exchange authentication information. The exact process, as well

as the type of credentials exchanged and the security of the tunnel,

depends on the EAP method, which you will learn about later.

5. The authentication server verifies the user’s credentials against its own

or a centrally managed data store. The authentication server may also

retrieve policy information, such as rules for the times the user is allowed

on the network or rules specifying authorization instructions (for exam-

ple, a VLAN assignment).