GE 82-POE Benutzerhandbuch

Chapter 4: Web-Based Management

GE-DS-82 and 82-PoE Ethernet Managed Switch User Manual

125

• Authentication Initiation and Message Exchange
The switch or the client can initiate authentication. If you enable authentication on a
port by using the dot1x port-control auto interface configuration command, the
switch must initiate authentication when it determines that the port link state
transitions from down to up. It then sends an EAP-request/identity frame to the client
to request its identity (typically, the switch sends an initial identity/request frame
followed by one or more requests for authentication information). Upon receipt of the
frame, the client responds with an EAP-response/identity frame.
However, if during bootup, the client does not receive an EAP-request/identity frame
from the switch, the client can initiate authentication by sending an EAPOL-start
frame, which prompts the switch to request the client's identity.

NOTE:

If 802.1X is not enabled or supported on the network access device, any EAPOL

frames from the client are dropped. If the client does not receive an EAP-
request/identity frame after three attempts to start authentication, the client
transmits frames as if the port is in the authorized state. A port in the authorized state
effectively means that the client has been successfully authenticated.

When the client supplies its identity, the switch begins its role as the intermediary,
passing EAP frames between the client and the authentication server until
authentication succeeds or fails. If the authentication succeeds, the switch port
becomes authorized.
The specific exchange of EAP frames depends on the authentication method being
used. "Figure 87" shows a message exchange initiated by the client using the One-
Time-Password (OTP) authentication method with a RADIUS server.