Manualshelf

User`s manual

ManualsBrandsMoxa Technologies ManualsNetworkingNPort 6000 Series
919293949596979899100
NPort S8000 Series Switch Featured Functions
6-43
client that requests access to the port. The client is only allowed access to the port if the clients permission is
authenticated.
The IEEE 802.1X Concept
Three components are used to create an authentication mechanism based on 802.1X standards:
Client/Supplicant, Authentication Server, and Authenticator.
Supplicant: The end station that requests access to the LAN and switch services and responds to the requests
from the switch.
Authentication server: The server that performs the actual authentication of the supplicant.
Authenticator: Edge switch or wireless access point that acts as a proxy between the supplicant and the
authentication server, requesting identity information from the supplicant, verifying the information with the
authentication server, and relaying a response to the supplicant.
The NPort S8000 acts as an authenticator in the 802.1X environment. A supplicant and an authenticator
exchange EAPOL (Extensible Authentication Protocol over LAN) frames with each other. We can either use an
external RADIUS server as the authentication server, or implement the authentication server in the NPort
S8000 by using a Local User Database as the authentication look-up table. When we use an external RADIUS
server as the authentication server, the authenticator and the authentication server exchange EAP frames
between each other.
Authentication can be initiated either by the supplicant or the authenticator. When the supplicant initiates the
authentication process, it sends an EAPOL-Startframe to the authenticator. When the authenticator initiates
the authentication process or when it receives an EAPOL Startframe, it sends an EAP Request/Identity
frame to ask for the username of the supplicant. The following actions are described below:
1. When the supplicant receives an EAP Request/Identityframe, it sends an EAP Response/Identityframe
with its username back to the authenticator.
2. If the RADIUS server is used as the authentication server, the authenticator relays the EAP
Response/Identityframe from the supplicant by encapsulating it into a RADIUS Access-Requestframe
and sends to the RADIUS server. When the authentication server receives the frame, it looks up its
database to check if the username exists. If the username is not present, the authentication server replies
with a RADIUS Access-Rejectframe to the authenticator if the server is a RADIUS server or just indicates