802.1X; Port-Authentication Process - Dell S4048T Configuration Manual

server and the supplicant. The authenticator also changes the status of the port based on the results of
the authentication process. The Dell Networking switch is the authenticator.
• The authentication-server selects the authentication method, verifies the information the supplicant
provides, and grants it network access privileges.
Ports can be in one of two states:
• Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in or
out of the port.
• The authenticator changes the port state to authorized if the server can authenticate the supplicant. In
this state, network traffic can be forwarded normally.
NOTE: The Dell Networking switches place 802.1X-enabled ports in the unauthorized state by default.
Topics:
•

Port-Authentication Process

• Configuring 802.1X
• Important Points to Remember
• Enabling 802.1X
• Configuring Request Identity Re-Transmissions
• Forcibly Authorizing or Unauthorizing a Port
• Re-Authenticating a Port
• Configuring Timeouts
• Configuring Dynamic VLAN Assignment with Port Authentication
• Guest and Authentication-Fail VLANs
Port-Authentication Process
The authentication process begins when the authenticator senses that a link status has changed from down
to up:
1 When the authenticator senses a link state change, it requests that the supplicant identify itself using an
EAP Identity Request frame.
2 The supplicant responds with its identity in an EAP Response Identity frame.
3 The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a RADIUS
Access-Request frame and forwards the frame to the authentication server.
4 The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests
the supplicant to prove that it is who it claims to be, using a specified method (an EAP-Method). The
challenge is translated and forwarded to the supplicant by the authenticator.
5 The supplicant can negotiate the authentication method, but if it is acceptable, the supplicant provides
the Requested Challenge information in an EAP response, which is translated and forwarded to the
authentication server as another Access-Request frame.
6 If the identity information provided by the supplicant is valid, the authentication server sends an Access-
Accept frame in which network privileges are specified. The authenticator changes the port state to
authorized and forwards an EAP Success frame. If the identity information is invalid, the server sends an

802.1X

116