TP-Link TL-SG3424 User Manual page 63

The overview of operation flow for the Fig. 3-53 is quite simple. When
Supplicant PAE issues a request to Authenticator PAE, Authenticator and
Supplicant exchanges authentication message. Then, Authenticator
passes the request to RADIUS server to verify. Finally, RADIUS server
replies if the request is granted or denied.
While in the authentication process, the message packets, encapsulated
by Extensible Authentication Protocol over LAN (EAPOL), are exchanged
between an authenticator PAE and a supplicant PAE. The Authenticator
exchanges the message
encapsulation. Before successfully authenticating, the supplicant can
only touch the authenticator to perform authentication message
exchange or access the network from the uncontrolled port.
Supplicant's
Authenticator's System
System
Services Offered
by Authenticator
Supplicant
(e.g Bridge Relay)
PAE
Controlled port
Port Authorize
LAN
In the Fig. 3-54, this is the typical configuration, a single supplicant, an
authenticator and an authentication server. B and C is in the internal network, D is
Authentication server running RADIUS, switch at the central location acts
Authenticator connecting to PC A and A is a PC outside the controlled port, running
Supplicant PAE. In this case, PC A wants to access the services on device B and C,
first, it must exchange the authentication message with the authenticator on the port
it connected via EAPOL packet. The authenticator transfers the supplicant's
credentials to Authentication server for verification. If success, the authentication
server will notice the authenticator the grant. PC A, then, is allowed to access B and
C via the switch. If there are two switches directly connected together instead of
single one, for the link connecting two switches, it may have to act two port roles at
the end of the link: authenticator and supplicant, because the traffic is bi-directional.
User Manual
to authentication server using EAP
Authentication
Server's System
Authenticator Authentication
PAE Server
Uncontrolled port
MAC Enable
Fig. 3-53
Publication date: January, 2006
Revision A2
117
User Manual
C
Fig. 3-54
Authenticator
B
The Fig. 3-55 shows the procedure of 802.1X authentication. There are steps
for the login based on 802.1X port access control management. The protocol used
in the right side is EAPOL and the left side is EAP.
1. At the initial stage, the supplicant A is unauthenticated and a port
on switch acting as an authenticator is in unauthorized state. So the
access is blocked in this stage.
2. Initiating a session. Either authenticator or supplicant can initiate
the message exchange. If supplicant initiates the process, it sends
EAPOL-start packet to the authenticator PAE and authenticator will
immediately respond EAP-Request/Identity packet.
3. The authenticator always periodically sends EAP-Request/Identity
to the supplicant for requesting the identity it wants to be
authenticated.
4. If the authenticator doesn't send EAP-Request/Identity, the
supplicant will initiate EAPOL-Start the process by sending to the
authenticator.
5. And next, the Supplicant replies an EAP-Response/Identity to the
authenticator. The authenticator will embed the user ID into Radius-
Access-Request command and send it to the authentication server
for confirming its identity.
6. After receiving the Radius-Access-Request, the authentication
server sends Radius-Access-Challenge to the supplicant for asking
for inputting user password via the authenticator PAE.
7. The supplicant will convert user password into the credential
information, perhaps, in MD5 format and replies an EAP-Response
with this credential information as well as the specified
authentication algorithm (MD5 or OTP) to Authentication server via
the authenticator PAE. As per the value of the type field in message
PDU, the authentication server knows which algorithm should be
applied to authenticate the credential information, EAP-MD5
(Message Digest 5) or EAP-OTP (One Time Password) or other
else algorithm.
Publication date: January, 2006
Revision A2
118
Authentication server
Supplicant A