Eap-Tls Authentication - Extreme Networks Summit WM Technical Reference Manual

AP as 802.1X supplicant

EAP-TLS authentication

Figure 25 below illustrates the EAP-TLS authentication process. The AP is directly connected to the
access port on the authenticator. The AP begins the process by sending an EAP start message to the AU
and responds to the AU identity request. The AP provides the identity in the identity reply. Identity is
presented to the AS and from that moment on, EAP-TLS messages are exchanged between the AS and
the AP.
Figure 25: EAP-TLS authentication
1
On Ethernet
UP, AP sends
EAP Start
message
AP with EAP-TLS
credentials
AP responds
with identity
3
AP with EAP-TLS
credentials
The end result of the EAP-TLS authentication is verification of the AP certificate by the AS server. If
successfully verified, the AU is informed with the EAP success message and the AU opens the port for
all traffic. Otherwise, the AU maintains the port closed, and no other traffic besides .1X EAP messages
are permitted.
In the case of authentication failure, the AP begins the process from the beginning by sending an EAP
start message. If for any reason the AP cannot successfully complete the authentication, it will remain in
this cycle. Status of the EAP-TLS authentication is displayed on the AP LEDs.
108
AU blocks all AP
traffic and sends EAP
2
Request Identity
Authenticator (Network
Switch) with Dot1x
enabled port
RADIUS server informs
AS to open the port
5
Authenticator (Network
Switch) with Dot1x
enabled port
Network
RADIUS server starts
the TLS exchange and
verifies AP certificate
Network
Summit WM Technical Reference Guide, Software Version 5.1
4