Message exchange during authentication, Figure 117 – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 979

Advertising
background image

Brocade TurboIron 24X Series Configuration Guide

945

53-1003053-01

How 802.1X port security works

Message exchange during authentication

Figure 117

illustrates a sample exchange of messages between an 802.1X-enabled Client, a switch

acting as Authenticator, and a RADIUS server acting as an Authentication Server.

FIGURE 117

Message exchange between client/supplicant, authenticator, and authentication
server

In this example, the Authenticator initiates communication with an 802.1X-enabled Client. When
the Client responds, it is prompted for a username (48 characters maximum) and password. The
Authenticator passes this information to the Authentication Server, which determines whether the
Client can access services provided by the Authenticator. When the Client is successfully
authenticated by the RADIUS server, the port is authorized. When the Client logs off, the port
becomes unauthorized again.

The Brocade 802.1X implementation supports dynamic VLAN assignment. If one of the attributes
in the Access-Accept message sent by the RADIUS server specifies a VLAN identifier, and this VLAN
is available on the device, the client port is moved from its default VLAN to the specified VLAN.
When the client disconnects from the network, the port is placed back in its default VLAN.Refer to

“Configuring dynamic VLAN assignment for 802.1X ports”

on page 954 for more information.

If a Client does not support 802.1X, authentication cannot take place. The device sends
EAP-Request/Identity frames to the Client, but the Client does not respond to them.

When a Client that supports 802.1X attempts to gain access through a non-802.1X-enabled port, it
sends an EAP start frame to the device. When the device does not respond, the Client considers
the port to be authorized, and starts sending normal traffic.

Devices support Identity and MD5-challenge requests in EAP Request/Response messages.

NOTE

Refer to also

“EAP pass-through support”

on page 946.

RADIUS Server

(Authentication Server)

Client/Supplicant

Port Unauthorized

EAP-Response/Identity

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5-Challenge

EAP-Success

EAP-Logoff

Port Authorized

Port Unauthorized

RADIUS Access-Request

RADIUS Access-Challenge

RADIUS Access-Request

RADIUS Access-Accept

Switch

(Authenticator)

Advertising
Popular Brands
Popular manuals