10 802.1x authentication, Uthentication – PLANET GSW-1602SF User Manual

User’s Manual of GSW-1602SF / GSW-2404SF

4.10 802.1X Authentication

Overview of 802.1X (Port-Based) Authentication

In the 802.1X-world, the user is called the supplicant, the switch is the authenticator, and the RADIUS server is the

authentication server. The switch acts as the man-in-the-middle, forwarding requests and responses between the

supplicant and the authentication server. Frames sent between the supplicant and the switch are special 802.1X frames,

known as EAPOL (EAP Over LANs) frames. EAPOL frames encapsulate EAP PDUs (RFC3748). Frames sent between

the switch and the RADIUS server are RADIUS packets. RADIUS packets also encapsulate EAP PDUs together with other

attributes like the switch's IP address, name, and the supplicant's port number on the switch. EAP is very flexible, in that it

allows for different authentication methods, like MD5-Challenge, PEAP, and TLS. The important thing is that the

authenticator (the switch) doesn't need to know which authentication method the supplicant and the authentication server

are using, or how many information exchange frames are needed for a particular method. The switch simply encapsulates

the EAP part of the frame into the relevant type (EAPOL or RADIUS) and forwards it.

When authentication is complete, the RADIUS server sends a special packet containing a success or failure indication.

Besides forwarding this decision to the supplicant, the switch uses it to open up or block traffic on the switch port connected

to the supplicant.

The PLANET GSW-1602SF / GSW-2404SF supports IEEE 802.1X Port-base network access control and RADIUS server

authentication to enhance the host link more security. An 802.1X Infrastructure is composed of three major components:

Authenticator, Authentication server, and Supplicant.

Authentication server – (RADIUS Server):

An entity that provides an authentication service to an authenticator. This

service determines, from the credentials provided by the supplicant, whether the supplicant is authorized to access the

services provided by the authenticator.

Authenticator-(GSW-1602SF / GSW-2404SF):

An entity at one end of a point-to-point LAN segment that facilitates

authentication of the entity attached to the other end of that link.

Supplicant-(A Host Client):

An entity at one end of a point-to-point LAN segment that is being authenticated by an

authenticator attached to the other end of that link.

The instructions are divided into three parts:

-104-