802.1X Authentication; Port-Based Authentication - Alcatel-Lucent 7302 Information Manual

1.9

802.1x authentication

The P-OLT maintains the 802.1x authentication state by terminating the 802.1x
protocol and authenticates end users using the RADIUS server. The ONT provides
the filters for blocking and unblocking a local area network (LAN) port on the ONT.
After the system authenticates a port using 802.1x, the user can use DHCP or PPP.
The 802.1x protocol can be enabled or disabled for each OLT system or for each
ONT user-network interface (LAN port).

Port-based authentication

There are two MAC configuration scenarios for authentication:
•
When MAXMAC is 1, the first MAC address to be authenticated is learned on the
bridge port for the duration of session timeout (not the FDB aging timeout). The
MAC address is learned on all VLANs configured on the bridge port. No other
MAC addresses are learned.
•
When MAXMAC is greater than 1, MAC learning occurs after authentication is
successful. All MAC addresses are learned dynamically and age out using the
FDB aging timer. The system responds with EAP-Success message if other users
on the port try to authenticate after the port is authorized for traffic.
When the authenticated user logs out, the system performs the following actions:
•
closes the port for traffic
•
stops accounting for the port
•
sends an identity request as multicast over the port to invite any potential users of
the port for authentication
•
opens the port for traffic again only after a successful authentication
•
sends new identity requests only after the held period expires if the authentication
fails
•
sends periodic identity request messages until the port is authenticated
•
does not require re-authentication
•
flushes the FDB entries that correspond to the port
When the maximum MAC value on a bridge port is changed by the operator to a
lower value, the system performs the following actions:
•
flushes all the forward database (FDB) entries on the port
•
closes the associated ONT UNI for data traffic
•
sends identity request as multicast over the port in order to invite any potential
users of the port for authentication
•
opens the port for traffic after successful authentication
Alcatel-Lucent 7302 ISAM | 7330 ISAM FTTN | 7360 ISAM FX ONT R04.06.02
3FE 55873 AAAA TCZZA Edition 01
ONT Product Information Guide
Note —
The 802.1x protocol is only applicable to iBridge mode. In
iBridge mode, VLAN-tagged frames are not supported for 802.1x.
1 — ONT and MDU overview
November 2013 1-27