Table of Contents
Advertisement
Chapter 4: Console Management
However, if during bootup, the client does not receive an EAP-request/identity
frame from the switch, the client can initiate authentication by sending an
EAPOL-start frame, which prompts the switch to request the client's identity.
If 802.1X is not enabled or supported on the network access device, any
NOTE:
EAPOL frames from the client are dropped. If the client does not receive an EAP-
request/identity frame after three attempts to start authentication, the client
transmits frames as if the port is in the authorized state. A port in the authorized
state effectively means that the client has been successfully authenticated.
When the client supplies its identity, the switch begins its role as the
intermediary, passing EAP frames between the client and the authentication
server until authentication succeeds or fails. If the authentication succeeds, the
switch port becomes authorized.
The specific exchange of EAP frames depends on the authentication method
being used. "Figure 4-64" shows a message exchange initiated by the client
using the One-Time-Password (OTP) authentication method with a RADIUS
server.
Figure 4-64: EAP message exchange
Ports in Authorized and Unauthorized States
The switch port state determines whether or not the client is granted access to
the network. The port starts in the unauthorized state. While in this state, the port
disallows all ingress and egress traffic except for 802.1X protocol packets. When
GE-DS-242-PoE Managed Ethernet Switch User Manual
117
Advertisement
Table of Contents
