Message exchange during authentication, Figure 4 – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 177

Advertising
background image

Brocade ICX 6650 Security Configuration Guide

157

53-1002601-01

How 802.1X port security works

Message exchange during authentication

Figure 4

illustrates a sample exchange of messages between an 802.1X-enabled Client, a Brocade

ICX 6650 switch acting as Authenticator, and a RADIUS server acting as an Authentication Server.

FIGURE 4

Message exchange between client/supplicant, authenticator, and authentication
server

In this example, the Authenticator initiates communication with an 802.1X-enabled Client. When
the Client responds, it is prompted for a username (255 characters maximum) and password. The
Authenticator passes this information to the Authentication Server, which determines whether the
Client can access services provided by the Authenticator. When the Client is successfully
authenticated by the RADIUS server, the port is authorized. When the Client logs off, the port
becomes unauthorized again.

The Brocade 802.1X implementation supports dynamic VLAN assignment. If one of the attributes
in the Access-Accept message sent by the RADIUS server specifies a VLAN identifier, and this VLAN
is available on the Brocade device, the client port is moved from its default VLAN to the specified
VLAN. When the client disconnects from the network, the port is placed back in its default
VLAN.Refer to

“Dynamic VLAN assignment for 802.1X port configuration”

on page 166 for more

information.

If a Client does not support 802.1X, authentication cannot take place. The Brocade device sends
EAP-Request/Identity frames to the Client, but the Client does not respond to them.

When a Client that supports 802.1X attempts to gain access through a non-802.1X-enabled port, it
sends an EAP start frame to the Brocade device. When the device does not respond, the Client
considers the port to be authorized, and starts sending normal traffic.

Brocade devices support Identity and MD5-challenge requests in EAP Request/Response
messages as well as the following 802.1X authentication challenge types:

RADIUS Server

(Authentication Server)

Client/Supplicant

Port Unauthorized

EAP-Response/Identity

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5-Challenge

EAP-Success

EAP-Logoff

Port Authorized

Port Unauthorized

RADIUS Access-Request

RADIUS Access-Challenge

RADIUS Access-Request

RADIUS Access-Accept

Brocade Switch
(Authenticator)

Advertising
Popular Brands
Popular manuals