User guide

ManualsBrandsAlcatel ManualsComputer equipmentOS6602-48

431

432

433

434

435

436

437

438

439

440

802.1X Overview Configuring 802.1X

page 21-4 OmniSwitch 6600 Family Network Configuration Guide April 2005

802.1X Overview

The 802.1X standard defines port-based network access controls, and provides the structure for authenti-

cating physical devices attached to a LAN. It uses the Extensible Authentication Protocol (EAP).

There are three components for 802.1X:

• The Supplicant—This is the device connected to the switch. The device may be connected directly to

the switch or via a point-to-point LAN segment. Typically the supplicant is a PC or laptop.

• The Authenticator Port Access Entity (PAE)—This entity requires authentication from the suppli-

cant. The authenticator is connected to the supplicant directly or via a point-to-point LAN segment.

The OmniSwitch acts as the authenticator.

• The Authentication Server—This component provides the authentication service and verifies the

credentials (username, password, challenge, etc.) of the supplicant. On the OmniSwitch, only RADIUS

servers are currently supported for 802.1X authentication.

Note. The OmniSwitch itself cannot be an 802.1X supplicant.

802.1X Port Behavior

Before any device is authenticated through an 802.1X port, the port will only process 802.1X frames (EAP

frames) from an unknown source.

When an EAP frame or an unknown source data frame is received from a supplicant, the switch sends an

EAP packet to request the supplicant’s identity. The supplicant then sends the information (an EAP

response), which is validated on an authentication server set up for authenticating 802.1X ports. The server

determines whether additional information (a challenge, or secret) is required from the supplicant.

After the supplicant is successfully authenticated, the MAC address of the supplicant is learned in the

appropriate VLAN depending on the following conditions:

• If the authentication server returned a VLAN ID, then the supplicant is assigned to that VLAN. All

subsequent traffic from the supplicant is then forwarded on that VLAN.

• If the authentication server does not return a VLAN ID, then the supplicant is classified by Group

Mobility and dynamically assigned to a VLAN or carried on the default VLAN for the 802.1X port.

802.1X Components

Supplicant

Authenticator PAE

RADIUS server

OmniSwitch

OmniSwitch 6648

Authentication

Server

authentication

request

authorization

granted