X Overview; Supplicant Classification - Alcatel-Lucent OmniSwitch 6800 Series Network Configuration Manual

Configuring 802.1X

802.1X Overview

The 802.1X standard defines port-based network access controls, and provides the structure for authenti-
cating physical devices attached to a LAN. It uses the Extensible Authentication Protocol (EAP).
There are three components for 802.1X:
•
The Supplicant—This is the device connected to the switch that supports the 802.1x protocol. The
device may be connected directly to the switch or via a point-to-point LAN segment. Typically the
supplicant is a PC or laptop.
•
The Authenticator Port Access Entity (PAE)—This entity requires authentication from the suppli-
cant. The authenticator is connected to the supplicant directly or via a point-to-point LAN segment.
The OmniSwitch acts as the authenticator.
•
The Authentication Server—This component provides the authentication service and verifies the
credentials (username, password, challenge, etc.) of the supplicant. On the OmniSwitch, only RADIUS
servers are currently supported for 802.1X authentication.
Supplicant
PC
Note. The OmniSwitch itself cannot be an 802.1X supplicant.
A device that does not use the 802.1x protocol for authentication is referred to as a non-supplicant. The
Access Guardian feature provides configurable device classification policies to authenticate access of both
supplicant and non-supplicant devices on 802.1x ports. See
page 27-9 for more information.

Supplicant Classification

When an EAP frame or an unknown source data frame is received from a supplicant, the switch sends an
EAP packet to request the supplicant's identity. The supplicant then sends the information (an EAP
response), which is validated on an authentication server set up for authenticating 802.1X ports. The
server determines whether additional information (a challenge, or secret) is required from the supplicant.
After the supplicant is successfully authenticated, the MAC address of the supplicant is learned in the
appropriate VLAN depending on the following conditions:
•
If the authentication server returned a VLAN ID, then the supplicant is assigned to that VLAN. All
subsequent traffic from the supplicant is then forwarded on that VLAN.
OmniSwitch 6800/6850/9000 Network Configuration Guide
Authenticator PAE
login request
OmniSwitch
802.1X Components
Authentication
Server
authentication
request
authorization
granted
RADIUS server
"Using Access Guardian Policies" on
March 2008
802.1X Overview
page 27-7