Authentication process – Allied Telesis AT-S63 User Manual

AT-S63 Management Software Menus Interface User’s Guide

Section IV: Security

621

prohibits network access by a supplicant until the network user
has entered a valid username and password.

❑ Authentication server - The authentication server is the network

device that has the RADIUS server software. This is the device that
does the actual authenticating of the user names and password
from the supplicants.

The AT-9400 Series switch does not authenticate any of the username
and passwords from the end users. Rather, it acts as an intermediary
between a supplicant and the authentication server during the
authentication process.

Authentication

Process

Below is a brief overview of the authentication process that occurs
between a supplicant, authenticator, and authentication server. For
further details, refer to the IEEE 802.1x standard.

❑ Either the authenticator (that is, a switch port) or the supplicant

initiates an authentication message exchange. The switch
initiates an exchange when it detects a change in the status of a
port (such as when the port transitions from no link to valid link),
or if it receives a packet on the port with a source MAC address not
in the MAC address table.

An authenticator starts the exchange by sending an EAP-
Request/Identity packet. A supplicant starts the exchange
with an EAPOL-Start packet, to which the authenticator
responds with a EAP-Request/Identity packet.

❑ The supplicant responds with an EAP-Response/Identity packet to

the authentication server via the authenticator.

❑ The authentication server responds with an EAP-Request packet

to the supplicant via the authenticator.

❑ The supplicant responds with an EAP-Response/MDS packet

containing a username and password.

❑ The authentication server sends either an EAP-Success packet or

EAP-Reject packet to the supplicant.

❑ Upon successful authorization of the supplicant by the

authentication server, the switch adds the supplicant’s MAC
address to the MAC address as an authorized address and begins
forwarding network traffic to and from the port.

❑ When the supplicant sends an EAPOL-Logoff message, the switch

removes the supplicant’s MAC address from the MAC address
table, preventing the supplicant from sending or receiving any
further traffic from the port.