Moxa Technologies EDS-726 user manual Message Exchange

Authenticator: Edge switch or wireless access point that acts as a proxy between the supplicant and the authentication server, requesting identity information from the supplicant, verifying the information with the authentication server, and relaying a response to the supplicant.

EDS-726 acts as an authenticator in the 802.1X environment. A supplicant and an authenticator exchange EAPOL (Extensible Authentication Protocol over LAN) frames with each other. We can either use an external RADIUS server as the authentication server, or implement the authentication server in EDS-726 by using a Local User Database as the authentication look-up table. When we use an external RADIUS server as the authentication server, the authenticator and the authentication server exchange EAP frames between each other.

Authentication can be initiated either by the supplicant or the authenticator. When the supplicant initiates the authentication process, it sends an “EAPOL-Start” frame to the authenticator. When the authenticator initiates the authentication process or when it receives an “EAPOL Start” frame, it sends an “EAP Request/Identity” frame to ask for the username of the supplicant. The following actions are described below:

Message Exchange

Authentication

Clientserver (RADIUS)

Port Authorized

EAPOL-Logoff

Port Unauthorized

1.When the supplicant receives an “EAP Request/Identity” frame, it sends an “EAP Response/Identity” frame with its username back to the authenticator.

2.If the RADIUS server is used as the authentication server, the authenticator relays the “EAP Response/Identity” frame from the supplicant by encapsulating it into a “RADIUS Access-Request” frame and sends to the RADIUS server. When the authentication server receives the frame, it looks up its database to check if the username exists. If the username is not present, the authentication server replies with a “RADIUS Access-Reject” frame to the authenticator if the server is a RADIUS server or just indicates failure to the authenticator if the Local User Database is used. The authenticator sends an “EAP-Failure” frame to the supplicant.

3.The RADIUS server sends a “RADIUS Access-Challenge,” which contains an “EAP Request” with an authentication type to the authenticator to ask for the password from the client. RFC 2284 defines several EAP authentication types, such as “MD5-Challenge,” “One-Time Password,” and “Generic Token Card.” Currently, only “MD5-Challenge” is supported. If the Local User Database is used, this step is skipped.

3-51