Authentication Process - 3Com 5500-SI Configuration Manual
5500 series
Hide thumbs
Also See for 5500-SI:
- Datasheet (9 pages) ,
- Getting started manual (148 pages) ,
- Quick reference manual (59 pages)
Table of Contents
Advertisement
392
C
21: 802.1
HAPTER
802.1x Authentication
Process
C
X
ONFIGURATION
Authenticator and Authentication Server exchange information through EAP
(Extensible Authentication Protocol) frames. The user and the Authenticator exchange
information through the EAPoL (Extensible Authentication Protocol over LANs) frame
defined by IEEE 802.1x. Authentication data are encapsulated in the EAP frame,
which is to be encapsulated in the packets of other AAA upper layer protocols (for
example, RADIUS) so as to go through the complicated network to reach the
Authentication Server. Such procedure is called EAP Relay.
There are two types of ports for the Authenticator. One is the Uncontrolled Port, and
the other is the Controlled Port. The Uncontrolled Port is always in bi-directional
connection state. The user can access and share the network resources any time
through the ports. The Controlled Port will be in connecting state only after the user
passes the authentication. Then the user is allowed to access the network resources.
Figure 104 802.1x System Architecture
Supplicant
System
(User)
Supplicant
Controlled
EAPoL
802.1x configures EAP frame to carry the authentication information. The Standard
defines the following types of EAP frames:
EAP-Packet: Authentication information frame, used to carry the authentication
■
information.
EAPoL-Start: Authentication originating frame, actively originated by the user.
■
EAPoL-Logoff: Logoff request frame, actively terminating the authenticated state.
■
EAPoL-Key: Key information frame, supporting to encrypt the EAP packets.
■
EAPoL-Encapsulated-ASF-Alert: Supports the Alerting message of Alert Standard
■
Forum (ASF).
The EAPoL-Start, EAPoL-Logoff and EAPoL-Key only exist between the user and the
Authenticator. The EAP-Packet information is re-encapsulated by the Authenticator
System and then transmitted to the Authentication Server System. The
EAPoL-Encapsulated-ASF-Alert is related to the network management information
and terminated by the Authenticator.
Although 802.1x provides user ID authentication, 802.1x itself is not enough to
implement the scheme. The administrator of the access device should configure the
AAA scheme by selecting RADIUS or local authentication to assist 802.1x to
implement the user ID authentication. For detailed description of AAA, refer to the
corresponding AAA configuration.
Authenticator System
Services
offered
by
Authenticators
System
Port
unauthorized
Port
Authenticator
PAE
EAP protocol
exchanges
carried in
Uncontrolled
higher layer
Port
protocol
LAN
Authenticato
Server
System
Authenticat
Server
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
