Administrator Guide
• Guest and Authentication-Fail VLANs
• Conguring dot1x Prole
• Conguring the Static MAB and MAB Prole
• Conguring Critical VLAN
The Port-Authentication Process
The authentication process begins when the authenticator senses that a link status has changed from down to up:
1 When the authenticator senses a link state change, it requests that the supplicant identify itself using an EAP Identity Request frame.
2 The supplicant responds with its identity in an EAP Response Identity frame.
3 The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame and
forwards the frame to the authentication server.
4 The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests that the supplicant prove
that it is who it claims to be, using a specied method (an EAP-Method). The challenge is translated and forwarded to the supplicant
by the authenticator.
5 The supplicant can negotiate the authentication method, but if it is acceptable, the supplicant provides the Requested Challenge
information in an EAP response, which is translated and forwarded to the authentication server as another Access-Request frame.
6 If the identity information the supplicant provides is valid, the authentication server sends an Access-Accept frame in which network
privileges are specied. The authenticator changes the port state to authorized and forwards an EAP Success frame. If the identity
information is invalid, the server sends an Access-Reject frame. If the port state remains unauthorized, the authenticator forwards an
EAP Failure frame.
Figure 5. EAP Port-Authentication
EAP over RADIUS
802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as dened in RFC 3579.
EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP
messages is 79.
802.1X
87