802.1X Management - Planet GSW-1602SF User Manual

4.11 802.1X Management

The PALENT GSW-1602SF/GSW-2404SF/GSW-2416SF supports IEEE 802.1X Port-base network access control and
RADIUS server authentication to enhance the host link more security. An 802.1X Infrastructure is composed of three
major components: Authenticator, Authentication server, and Supplicant.
Authentication server – (RADIUS Server): An entity that provides an authentication service to an authenticator. This
service determines, from the credentials provided by the supplicant, whether the supplicant is authorized to access the
services provided by the authenticator.
Authenticator-(GSW-1602SF/GSW-2404SF/GSW-2416SF): An entity at one end of a point-to-point LAN segment that
facilitates authentication of the entity attached to the other end of that link.
Supplicant-(A Host Client): An entity at one end of a point-to-point LAN segment that is being authenticated by an
authenticator attached to the other end of that link.
The instructions are divided into three parts:
The above graph shows the network topology of the solution we are going to introduce. As illustrated, a group of clients is
trying to build a network with GSW-1602SF/GSW-2404SF/GSW-2416SF in order to have access to both Internet and
Intranet. With 802.1X authentication, each of these clients would have to be authenticated by RADIUS server. If the client
is authorized, GSW-1602SF/GSW-2404SF/GSW-2416SF would be notified to open up a communication port to be used
for the client. There are 2 Extensive Authentication Protocol (EAP) methods supported: (1) MD5 and (2) TLS.
MD5 authentication is simply a validation of existing user account and password that is stored in a database of RADIUS
server. Therefore, clients will be prompted for account/password validation to build the link. TLS authentication is a more
complicated authentication, which is using certificate that is issued by RADIUS server for authentication. TLS
authentication is a more secure authentication, since not only RADIUS server authenticates the client, but also the client
can validate RADIUS server by the certificate that it issues. The TLS authentication request from clients and reply by
Radius Server and GSW-1602SF/GSW-2404SF/GSW-2416SF can be briefed as follows:
1. The client sends an EAP start message to Web-Smart Switch.
2. Web-Smart Switch replies with an EAP Request ID message.
3. The client sends its Network Access Identifier (NAI) – its user name – to Web-Smart Switch in an EAP Respond
message.
4. Web-Smart Switch forwards the NAI to the RADIUS server with a RADIUS Access Request message.
5. The RADIUS server responds to the client with its digital certificate.
6. The client validates the digital certificate, and replies its own digital certificate to the RADIUS server.
7. The RADIUS server validates client's digital certificate.
8. The client and RADIUS server derive encryption keys.
-53-