Table of Contents
Advertisement
Chapter 40
Configuring 802.1X Authentication
•
•
•
Authentication Initiation and Message Exchange
The switch or the host can initiate authentication. If you enable authentication on a port by using the set
port dot1x mod/port port-control auto command, the switch must initiate authentication when it
determines that the port link state transitions from down to up. The switch sends an EAP-request/identity
frame to the host to request its identity (typically, the switch sends an initial identity/request frame that
is followed by one or more requests for authentication information). When the host receives the frame,
it sends an EAP-response/identity frame.
During bootup, if the host does not receive an EAP-request/identity frame from the switch, the host can
initiate authentication by sending an EAPOL-start frame that prompts the switch to request the host's
identity.
If 802.1X is not enabled or supported on the network access device, any of the EAPOL frames from the
Note
host are dropped. If the host does not receive an EAP-request/identity frame after three attempts to start
authentication, the host transmits the frames as if the port is in the authorized state. A port that is in the
authorized state means that the host has been successfully authenticated. For more information, see the
"Ports in Authorized and Unauthorized States" section on page
OL-8978-04
Supplicant—Requests access to the LAN and switch services and responds to requests from the
switch. The workstation must be running 802.1X-compliant software.
Note
802.1X uses the term supplicant for client or host. In this publication, we use host instead
of supplicant because host is used in the Catalyst 6500 series CLI syntax.
Authentication server—Performs the actual authentication of the host. The authentication server
validates the identity of the host and notifies the switch if the host is authorized to access the LAN
and switch services. Because the switch acts as the proxy, the authentication service is transparent
to the host. In this release, the Remote Authentication Dial-In User Service (RADIUS) security
system with Extensible Authentication Protocol (EAP) extensions is the only supported
authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS
operates in a client/server model in which secure authentication information is exchanged between
the RADIUS server and one or more RADIUS clients.
Switch—Controls the physical access to the network based on the authentication status of the host.
The switch acts as an intermediary (proxy) between the host and the authentication server,
requesting identity information from the host, verifying that information with the authentication
server, and relaying a response to the host. The switch interacts with the RADIUS client. The
RADIUS client encapsulates and decapsulates the EAP frames and interacts with the authentication
server.
When the switch receives the Extensible Authentication Protocol over LAN (EAPOL) frames and
relays them to the authentication server, the Ethernet header is stripped and the remaining EAP
frame is reencapsulated in the RADIUS format. The EAP frames are not modified or examined
during encapsulation, and the authentication server must support EAP within the native frame
format. When the switch receives the frames from the authentication server, the server's frame
header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the
host.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Understanding How 802.1X Authentication Works
40-4.
40-3
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
