GE -DSH-73 User Manual page 124

Hide thumbs Also See for GE-DSH-73:

Installation sheet (10 pages)

Installation sheet (13 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

page of 179

/ 179
Contents
Table of Contents
Bookmarks

Table of Contents

Chapter 5: Web-Based Management

the client. In this release, the Remote Authentication Dial-In User Service (RADIUS)

security system with Extensible Authentication Protocol (EAP) extensions is the

only supported authentication server; it is available in Cisco Secure Access Control

Server version 3.0. RADIUS operates in a client/server model in which secure

authentication information is exchanged between the RADIUS server and one or

more RADIUS clients.

• Switch (802.1X device)-controls the physical access to the network based on the

authentication status of the client. The switch acts as an intermediary (proxy)

between the client and the authentication server, requesting identity information

from the client, verifying that information with the authentication server, and

relaying a response to the client. The switch includes the RADIUS client, which is

responsible for encapsulating and decapsulating the Extensible Authentication

Protocol (EAP) frames and interacting with the authentication server. When the

switch receives EAPOL frames and relays them to the authentication server, the

Ethernet header is stripped and the remaining EAP frame is re-encapsulated in

the RADIUS format. The EAP frames are not modified or examined during

encapsulation, and the authentication server must support EAP within the native

frame format. When the switch receives frames from the authentication server,

the server's frame header is removed, leaving the EAP frame, which is then

encapsulated for Ethernet and sent to the client.

• Authentication Initiation and Message Exchange

The switch or the client can initiate authentication. If you enable authentication

on a port by using the dot1x port-control auto interface configuration command,

the switch must initiate authentication when it determines that the port link state

transitions from down to up. It then sends an EAP-request/identity frame to the

client to request its identity (typically, the switch sends an initial identity/request

frame followed by one or more requests for authentication information). Upon

receipt of the frame, the client responds with an EAP-response/identity frame.

However, if during bootup, the client does not receive an EAP-request/identity

frame from the switch, the client can initiate authentication by sending an EAPOL-

start frame, which prompts the switch to request the client's identity

NOTE:

If 802.1X is not enabled or supported on the network access device, any EAPOL

frames from the client are dropped. If the client does not receive an EAP-

request/identity frame after three attempts to start authentication, the client

transmits frames as if the port is in the authorized state. A port in the authorized state

effectively means that the client has been successfully authenticated.

When the client supplies its identity, the switch begins its role as the intermediary,

passing EAP frames between the client and the authentication server until

120

GE-DSH-73/DSH-82 and DSH-82-PoE User Manual

Table of Contents

This manual is also suitable for:

Ge-dsh-82 Ge-dsh-82-poe

GE -DSH-73 User Manual page 124

Related Manuals for GE GE-DSH-73

Related Products for GE GE-DSH-73

This manual is also suitable for:

Table of Contents