Alcatel-Lucent 7210 SAS E OS Configuration Manual page 36

LAG
802.1x Basics
•
•
•
The authentication exchange is carried out between the supplicant and the authentication server,
the authenticator acts only as a bridge. The communication between the supplicant and the
authenticator is done via the Extended Authentication Protocol (EAP) over LANs (EAPOL). On
the back end, the communication between the authenticator and the authentication server is done
with the RADIUS protocol. The authenticator is thus a RADIUS client, and the authentication
server a RADIUS server.
The router will initiate the procedure when the Ethernet port becomes operationally up, by sending
a special PDU called EAP-Request/ID to the client. The client can also initiate the exchange by
sending an EAPOL-start PDU, if it doesn't receive the EAP-Request/ID frame during bootup. The
client responds on the EAP-Request/ID with a EAP-Response/ID frame, containing its identity
(typically username + password).
After receiving the EAP-Response/ID frame, the router will encapsulate the identity information
into a RADIUS AccessRequest packet, and send it off to the configured RADIUS server.
The RADIUS server checks the supplied credentials, and if approved will return an Access Accept
message to the router. The router notifies the client with an EAP-Success PDU and puts the port in
authorized state.
Page 36
The supplicant — This is the end-user device that requests access to the network.
The authenticator — Controls access to the network. Both the supplicant and the
authenticator are referred to as Port Authentication Entities (PAEs).
The authentication server — Performs the actual processing of the user information.
7210 SAS E Interface Configuration Guide