Moxa Technologies EDS-510A, Moxa EtherDevice Switch EDS-510A Series Users Manual Featured Functions , 3-50

EDS-510A Series User’s Manual Featured Functions

3-50

The EDS-510A acts as an authenticator in the 802.1X environment. A supplicant and an

authenticator exchange EAPOL (Extensible Authentication Protocol over LAN) frames with each

other. We can either use an external RADIUS server as the authentication server, or implement the

authentication server in the EDS-510A by using a Local User Database as the authentication

look-up table. When we use an external RADIUS server as the authentication server, the

authenticator and the authentication server exchange EAP frames between each other.

Authentication can be initiated either by the supplicant or the authenticator. When the supplicant

initiates the authentication process, it sends an “EAPOL-Start” frame to the authenticator. When

the authenticator initiates the authentication process or when it receives an “EAPOL Start” frame,

it sends an “EAP Request/Identity” frame to ask for the username of the supplicant. The following

actions are described below:

Message Exchange

Authentication

server

(RADIUS)

Client

EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/OTP

EAP-Response/OTP

EAP-Success

EAPOL-Logoff

Port Authorized

Port Unauthorized

RADIUS Access-Request

RADIUS Access-Challenge

RADIUS Access-Request

RADIUS Access-Accept

1. When the supplicant receives an “EAP Request/Identity” frame, it sends an “EAP

Response/Identity” frame with its username back to the authenticator.

2. If the RADIUS server is used as the authentication server, the authenticator relays the “EAP

Response/Identity” frame from the supplicant by encapsulating it into a “RADIUS

Access-Request” frame and sends to the RADIUS server. When the authentication server

receives the frame, it looks up its database to check if the username exists. If the username is

not present, the authentication server replies with a “RADIUS Access-Reject” frame to the

authenticator if the server is a RADIUS server or just indicates failure to the authenticator if

the Local User Database is used. The authenticator sends an “EAP-Failure” frame to the

supplicant.

3. The RADIUS server sends a “RADIUS Access-Challenge,” which contains an “EAP Request”

with an authentication type to the authenticator to ask for the password from the client. RFC

2284 defines several EAP authentication types, such as “MD5-Challenge,” “One-Time

Password,” and “Generic Token Card.” Currently, only “MD5-Challenge” is supported. If the

Local User Database is used, this step is skipped.

4. The authenticator sends an “EAP Request/MD5-Challenge” frame to the supplicant. If the

RADIUS server is used, the “EAP Request/MD5-Challenge” frame is retrieved directly from

the “RADIUS Access-Challenge” frame.