User guide – Luxul XMS-1024P User Manual

211

User Guide

© 2014 Luxul. All Rights Reserved.

Other trademarks and registered trademarks are the property of their respective owners

„

EAP protocol packets transmitted between the Authenticator and the RADIUS
Server can either be encapsulated as EAPOR (EAP over RADIUS) packets or the
Supplicant transmission will be terminated at Authenticator and the Authenticator
then communicates with RADIUS Servers through PAP (Password Authentication
Protocol) or CHAP (Challenge Handshake Authentication Protocol) protocol packets.

„

When a Supplicant passes Authentication, the Authentication Server passes the
information about the Supplicant to the Authenticator. The Authenticator in turn
determines the state (Authorized or Unauthorized) of the controlled Port according
to the instructions (Accept or Reject) received from the RADIUS Server.

802.1X/RADIUS Authentication Procedure

802.1X/RADIUS Authentication can be initiated by Supplicant or Authenticator. When
the Authenticator detects an Unauthenticated Supplicant, it will initiate the 802.1X/
RADIUS Authentication by sending EAP-Request/Identity packets to the Supplicant.
The Supplicant can also launch an 802.1X/RADIUS Client program to initiate an 802.1X/
RADIUS Authentication process by sending an EAPOL-Start packet to the Switch,

This LUXUL Switch can authenticate Supplicants in EAP relay mode or EAP termination
mode. The illustration below of these two modes outlines this process.

EAP Relay Mode

This mode is defined in 802.1X. In this mode EAP-packets are encapsulated in a higher
level protocol (such as EAPOR) to allow them to successfully reach the Authentication
Server. This mode normally requires a RADIUS Server that supports the two fields of
EAP: the EAP-Message Field and the Message-Authenticator Field. This Switch supports
EAP-MD5 Authentication when using EAP relay mode. The following figure depicts the
basic EAP-MD5 Authentication procedure.