Message exchange during authentication – Brocade BigIron RX Series Configuration Guide User Manual

Page 1127

Advertising
background image

BigIron RX Series Configuration Guide

1049

53-1002484-04

How 802.1x port security works

34

Message exchange during authentication

Figure 137

illustrates a sample exchange of messages between an 802.1x-enabled Client, a

BigIron RX acting as Authenticator, and a RADIUS server acting as an Authentication Server.

FIGURE 137

Message exchange between Client/Supplicant, Authenticator, and Authentication
Server

In this example, the Authenticator (the BigIron RX device) initiates communication with an
802.1x-enabled Client. When the Client responds, it is prompted for a username (255 characters
maximum) and password. The Authenticator passes this information to the Authentication Server,
which determines whether the Client can access services provided by the Authenticator. When the
Client is successfully authenticated by the RADIUS server, the port is authorized. When the Client
logs off, the port becomes unauthorized again.

Brocade’s 802.1x implementation supports dynamic VLAN assignment. If one of the attributes in
the Access-Accept message sent by the RADIUS server specifies a VLAN identifier, and this VLAN is
available on the BigIron RX device, the client’s port is moved from its default VLAN to the specified
VLAN. When the client disconnects from the network, the port is placed back in its default VLAN.
Refer to

“Configuring dynamic VLAN assignment for 802.1x ports”

on page 1054 for more

information.

Brocade’s 802.1x implementation supports dynamically applying an IP ACL or MAC address filter to
a port, based on information received from the Authentication Server.

If a Client does not support 802.1x, authentication cannot take place. The BigIron RX sends
EAP-Request/Identity frames to the Client, but the Client does not respond to them.

RADIUS Server

(Authentication Server)

BigIron Device

(Authenticator)

Client/Supplicant

Port Unauthorized

EAP-Response/Identity

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5-Challenge

EAP-Success

EAP-Logoff

Port Authorized

Port Unauthorized

RADIUS Access-Request

RADIUS Access-Challenge

RADIUS Access-Request

RADIUS Access-Accept

Advertising
Popular Brands
Popular manuals