Authentication Initiation And Message Exchange - Cisco Nexus 9000 Series Configuration Manual

Authentication Initiation and Message Exchange

Figure 5: 802.1X Device Roles
The specific roles are as follows:
Supplicant
Authentication server
Authenticator
When the authenticator receives EAPOL frames and relays them to the authentication server, the authenticator
strips off the Ethernet header and encapsulates the remaining EAP frame in the RADIUS format. This
encapsulation process does not modify or examine the EAP frames, and the authentication server must support
EAP within the native frame format. When the authenticator receives frames from the authentication server,
the authenticator removes the server's frame header, leaving the EAP frame, which the authenticator then
encapsulates for Ethernet and sends to the supplicant.
Note
The Cisco NX-OS device can only be an 802.1X authenticator.
Authentication Initiation and Message Exchange
Either the authenticator (Cisco NX-OS device) or the supplicant (client) can initiate authentication. If you
enable authentication on a port, the authenticator must initiate authentication when it determines that the port
link state transitions from down to up. The authenticator then sends an EAP-request/identity frame to the
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
178
The client device that requests access to the LAN and Cisco NX-OS device services and responds to
requests from the Cisco NX-OS device. The workstation must be running 802.1X-compliant client
software such as that offered in the Microsoft Windows XP operating device.
The authentication server performs the actual authentication of the supplicant. The authentication server
validates the identity of the supplicant and notifies the Cisco NX-OS device regarding whether the
supplicant is authorized to access the LAN and Cisco NX-OS device services. Because the Cisco NX-OS
device acts as the proxy, the authentication service is transparent to the supplicant. The Remote
Authentication Dial-In User Service (RADIUS) security device with Extensible Authentication Protocol
(EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access
Control Server, version 3.0. RADIUS uses a supplicant-server model in which secure authentication
information is exchanged between the RADIUS server and one or more RADIUS clients.
The authenticator controls the physical access to the network based on the authentication status of the
supplicant. The authenticator acts as an intermediary (proxy) between the supplicant and the authentication
server, requesting identity information from the supplicant, verifying the requested identity information
with the authentication server, and relaying a response to the supplicant. The authenticator includes the
RADIUS client, which is responsible for encapsulating and decapsulating the EAP frames and interacting
with the authentication server.
Configuring 802.1X