Authentication process – Allied Telesis AT-S63 User Manual

AT-S63 Management Software Features Guide

Section VIII: Port Security

365

Authentication Process

Below is a brief overview of the authentication process that occurs
between a supplicant, authenticator, and authentication server. For further
details, refer to the IEEE 802.1x standard.

ˆ

Either the authenticator (that is, a switch port) or the supplicant initiates
an authentication message exchange. The switch initiates an
exchange when it detects a change in the status of a port (such as
when the port transitions from no link to valid link), or if it receives a
packet on the port with a source MAC address not in the MAC address
table.

ˆ

An authenticator starts the exchange by sending an EAP-Request/
Identity packet. A supplicant starts the exchange with an EAPOL-Start
packet, to which the authenticator responds with a EAP-Request/
Identity packet.

ˆ

The supplicant responds with an EAP-Response/Identity packet to the
authentication server via the authenticator.

ˆ

The authentication server responds with an EAP-Request packet to
the supplicant via the authenticator.

ˆ

The supplicant responds with an EAP-Response/MD5 packet
containing a username and password.

ˆ

The authentication server sends either an EAP-Success packet or
EAP-Reject packet to the supplicant.

ˆ

Upon successful authorization of the supplicant by the authentication
server, the switch adds the supplicant’s MAC address to the MAC
address as an authorized address and begins forwarding network
traffic to and from the port.

ˆ

When the supplicant sends an EAPOL-Logoff message, the switch
removes the supplicant’s MAC address from the MAC address table,
preventing the supplicant from sending or receiving any further traffic
from the port.