KTI Networks KS-2262 3-12. 802.1x Configuration

111

3-12. 802.1x Configuration

802.1x port-based network access control provides a method to restrict users to

access network resources via authenticating user’s infor mation. T his restric ts users

from gaining access to the network resources through a 802.1x-enab led port

without authentication. If a user wishes to touch the network through a port u nder

802.1x control, he (she) must firstly input his (her) account name f or authentication

and waits for gaining authorization before sending or receiving any pack ets from a

802.1x-enabled port.

Before the devices or end stations can access the network resources through the

ports under 802.1x control, the devices or end stations connected to a controlled

port send the authentication request to the authenticator, the authenticator pass the

request to the authentication server to authenticate and verif y, and the server tell

the authenticator if the request get the grant of authorization for the ports.

According to IEEE802.1x, there are three components implem ented. They are

Authenticator, Supplicant and Authentication server.

Supplicant:

It is an entity being authenticated by an authenticator. It is used to

communicate with the Authenticator PAE (Port Access Entity) by

exchanging the authentication message when the Authenticator PAE

request to it.

Authenticator:

An entity facilitates the authentication of the supplicant entit y. It controls

the state of the port, authorized or unauthorized, according to the resu lt

of authentication message exchanged between it and a supplic ant PAE.

The authenticator may request the supplicant to re-aut henticate itself at a

configured time period. Once start re-authenticating the supplicant, the

controlled port keeps in the authorized state until re-authentication fails.

A port acting as an authenticator is thought to be two logical ports, a

controlled port and an uncontrolled port. A controlled port can only pass

the packets when the authenticator PAE is authorized, and otherwise, an

uncontrolled port will unconditionally pass the packets with PAE group

MAC address, which has the value of 01-80-c2-00-00-03 and will not be

forwarded by MAC bridge, at any time.

Authentication server:

A device provides authentication service, through EAP, to an

authenticator by using authentication credentials suppli ed by the

supplicant to determine if the supplicant is authorized to access the

network resource.