Authentication Initiation And Message Exchange - Cisco 7604 Configuration Manual
Ios software configuration guide
Hide thumbs
Also See for 7604:
- Configuration manual (742 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 46
Configuring IEEE 802.1X Port-Based Authentication
Authentication Initiation and Message Exchange
The router or the client can initiate authentication. If you enable authentication on a port by using the
dot1x port-control auto interface configuration command, the router must initiate authentication when
it determines that the port link state transitions from down to up. The router then sends an
EAP-request/identity frame to the client to request its identity (typically, the router sends an initial
identity/request frame followed by one or more requests for authentication information). When the client
receives the frame, it responds with an EAP-response/identity frame.
If the client does not receive an EAP-request/identity frame from the router during bootup, the client can
initiate authentication by sending an EAPOL-start frame, which prompts the router to request the client's
identity.
If 802.1X is not enabled or supported on the network access device, any EAPOL frames from the client
Note
are dropped. If the client does not receive an EAP-request/identity frame after three attempts to start
authentication, the client transmits frames as if the port is in the authorized state. A port in the authorized
state effectively means that the client has been successfully authenticated. For more information, see the
"Ports in Authorized and Unauthorized States" section on page
When the client supplies its identity, the router begins its role as the intermediary, passing EAP frames
between the client and the authentication server until authentication succeeds or fails. If the
authentication succeeds, the router port becomes authorized. For more information, see the
Authorized and Unauthorized States" section on page
The specific exchange of EAP frames depends on the authentication method being used.
shows a message exchange initiated by the client using the One-Time-Password (OTP) authentication
method with a RADIUS server.
OL-4266-08
When the router receives EAPOL frames and relays them to the authentication server, the Ethernet
header is stripped and the remaining EAP frame is reencapsulated in the RADIUS format. The EAP
frames are not modified or examined during encapsulation, and the authentication server must
support EAP within the native frame format. When the router receives frames from the
authentication server, the server's frame header is removed, leaving the EAP frame, which is then
encapsulated for Ethernet and sent to the client.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Understanding 802.1X Port-Based Authentication
46-4.
46-4.
"Ports in
Figure 46-2
46-3
- Quick Links:
- Supported Hardware and Software
Hide quick links:
Advertisement
Chapters
Table of Contents
