Eapol message exchange – Blade ICE G8000 User Manual
Page 42
RackSwitch G8000 Application Guide
42
Chapter 2: Port-based Network Access Control
BMD00041, November 2008
EAPoL message exchange
During authentication, EAPOL messages are exchanged between the client and the G8000
authenticator, while RADIUS-EAP messages are exchanged between the G8000 authenticator
and the RADIUS server.
Authentication is initiated by one of the following methods:
The G8000 authenticator sends an EAP-Request/Identity packet to the client
Client sends an EAPOL-Start frame to the G8000 authenticator, which responds with an
EAP-Request/Identity frame.
The client confirms its identity by sending an EAP-Response/Identity frame to the G8000
authenticator, which forwards the frame encapsulated in a RADIUS packet to the server.
The RADIUS authentication server chooses an EAP-supported authentication algorithm to
verify the client’s identity, and sends an EAP-Request packet to the client via the G8000
authenticator. The client then replies to the RADIUS server with an EAP-Response containing
its credentials.
Upon a successful authentication of the client by the server, the 802.1X-controlled port transi-
tions from unauthorized to authorized state, and the client is allowed full access to services
through the controlled port. When the client later sends an EAPOL-Logoff message to the
G8000 authenticator, the port transitions from authorized to unauthorized state.
If a client that does not support 802.1X connects to an 802.1X-controlled port, the G8000
authenticator requests the client's identity when it detects a change in the operational state of
the port. The client does not respond to the request, and the port remains in the unauthorized
state.
N
OTE
– When an 802.1X-enabled client connects to a port that is not 802.1X-controlled, the cli-
ent initiates the authentication process by sending an EAPOL-Start frame. When no response is
received, the client retransmits the request for a fixed number of times. If no response is
received, the client assumes the port is in authorized state, and begins sending frames, even if
the port is unauthorized.