DELL S50V User Manual
802.1X | 109
•
The authentication-server selects the authentication method, verifies the information provided by the
supplicant, and grants it network access privileges.
supplicant, and grants it network access privileges.
Ports can be in one of two states:
•
Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in
or out of the port.
or out of the port.
•
The authenticator changes the port state to authorized if the server can authenticate the supplicant. In
this state, network traffic can be forwarded normally.
this state, network traffic can be forwarded normally.
The Port-authentication Process
The authentication process begins when the authenticator senses that a link status has changed from down
to up:
to up:
1. When the authenticator senses a link state change, it requests that the supplicant identify itself using an
EAP Identity Request Frame.
2. The supplicant responds with its identity in an EAP Response Identity frame.
3. The authenticator decapsulates the EAP Response from the EAPOL frame, encapsulates it in a
RADIUS Access-Request frame, and forwards the frame to the authentication server.
4. The authentication server replies with an Access-Challenge. The Access-Challenge is request that the
supplicant prove that it is who it claims to be, using a specified method (an EAP-Method). The
challenge is translated and forwarded to the supplicant by the authenticator.
challenge is translated and forwarded to the supplicant by the authenticator.
5. The supplicant can negotiate the authentication method, but if it is acceptable, the supplicant provides
the requested challenge information in an EAP Response, which is translated and forwarded to the
authentication server as another Access-Request.
authentication server as another Access-Request.
6. If the identity information provided by the supplicant is valid, the authentication server sends an
Access-Accept frame in which network privileges are specified. The authenticator changes the port
state to authorized, and forwards an EAP Success frame. If the identity information is invalid, the
server sends and Access-Reject frame. The port state remains unauthorized, and the authenticator
forwards EAP Failure frame.
state to authorized, and forwards an EAP Success frame. If the identity information is invalid, the
server sends and Access-Reject frame. The port state remains unauthorized, and the authenticator
forwards EAP Failure frame.
Note: The Dell Force10 switches place 802.1X-enabled ports in the unauthorized state by default.