Alcatel-Lucent 6850-48 Guida Di Rete
Configuring 802.1X
802.1X Overview
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 37-5
802.1X Overview
The 802.1X standard defines port-based network access controls, and provides the structure for authenti-
cating physical devices attached to a LAN. It uses the Extensible Authentication Protocol (EAP).
cating physical devices attached to a LAN. It uses the Extensible Authentication Protocol (EAP).
There are three components for 802.1X:
• The Supplicant—This is the device connected to the switch that supports the 802.1x protocol. The
device may be connected directly to the switch or via a point-to-point LAN segment. Typically the
supplicant is a PC or laptop.
supplicant is a PC or laptop.
• The Authenticator Port Access Entity (PAE)—This entity requires authentication from the suppli-
cant. The authenticator is connected to the supplicant directly or via a point-to-point LAN segment.
The OmniSwitch acts as the authenticator.
The OmniSwitch acts as the authenticator.
• The Authentication Server—This component provides the authentication service and verifies the
credentials (username, password, challenge, etc.) of the supplicant. On the OmniSwitch, only RADIUS
servers are currently supported for 802.1X authentication.
servers are currently supported for 802.1X authentication.
Note. The OmniSwitch itself cannot be an 802.1X supplicant.
A device that does not use the 802.1x protocol for authentication is referred to as a non-supplicant. The
Access Guardian feature provides configurable device classification policies to authenticate access of both
supplicant and non-supplicant devices on 802.1x ports. See
Access Guardian feature provides configurable device classification policies to authenticate access of both
supplicant and non-supplicant devices on 802.1x ports. See
for more information.
Supplicant Classification
When an EAP frame or an unknown source data frame is received from a supplicant, the switch sends an
EAP packet to request the supplicant’s identity. The supplicant then sends the information (an EAP
response), which is validated on an authentication server set up for authenticating 802.1X ports. The
server determines whether additional information (a challenge, or secret) is required from the supplicant.
EAP packet to request the supplicant’s identity. The supplicant then sends the information (an EAP
response), which is validated on an authentication server set up for authenticating 802.1X ports. The
server determines whether additional information (a challenge, or secret) is required from the supplicant.
After the supplicant is successfully authenticated, the MAC address of the supplicant is learned in the
appropriate VLAN depending on the following conditions:
appropriate VLAN depending on the following conditions:
• If the authentication server returned a VLAN ID, then the supplicant is assigned to that VLAN. All
subsequent traffic from the supplicant is then forwarded on that VLAN.
802.1X Components
Supplicant
Authenticator PAE
RADIUS server
OmniSwitch
PC
login request
Authentication
Server
authentication
request
request
authorization
granted