Gsm-2108/Gsm-1008Sfp - Waters Network Systems GSM2108 Operating Manual

Figure 5.54 illustrates the procedure of 802.1X authentication. There are steps for the login
based on 802.1X port access control management. The protocol used in the right side is EAPOL
and the left side is EAP.
1. At the initial stage, supplicant A is unauthenticated so the port acting as an authenticator is
in unauthorized state. Access is blocked in this stage.
2. Either authenticator or supplicant can initiate the message exchange. If supplicant initiates
the process, it sends EAPOL-start packet to the authenticator PAE and authenticator will
immediately respond EAP-Request/Identity packet.
3. The authenticator periodically sends EAP-Request/Identity to the supplicant to request the
identity it wants to be authenticated.
4. If the authenticator doesn't send EAP-Request/Identity, the supplicant will initiate EAPOL-
beginning the process by sending it to the authenticator.
5. The Supplicant replies an EAP-Response/Identity to the authenticator. The authenticator will
embed the user ID into Radius-Access-Request command and send it to the authentication
server for identity confirmation.
6. After receiving the Radius-Access-Request, the authentication server sends Radius-Access-
Challenge to the supplicant asking for inputting user password via the authenticator PAE.
7. The supplicant will convert the user password into the credential information, perhaps, in
MD5 format and replies an EAP-Response with this credential information as well as the
specified authentication algorithm (MD5 or OTP) to Authentication server via the
authenticator PAE. As per the value of the type field in message PDU, the authentication
server knows which algorithm should be applied to authenticate the credential information,
EAP-MD5 (Message Digest 5) or EAP-OTP (One Time Password) or other algorithm.
8. If user ID and password is correct, the authentication server will send a Radius-Access-
Accept to the authenticator. If not correct, the authentication server will send a Radius-
Access-Reject.
9. When the authenticator PAE receives a Radius-Access-Accept, it will send an EAP-Success
to the supplicant. At this time, the supplicant is authorized and the port is connected to the
supplicant and is under 802.1X control in the authorized state. The supplicant and other
devices connected to this port can access the network. If the authenticator receives a
Radius-Access-Reject, it will send an EAP-Failure to the supplicant. This means the
supplicant has failed to authenticate. The port connected is in the unauthorized state, the
supplicant and the devices connected to this port won't be allowed to access the network.
10. When the supplicant issues an EAP-Logoff message to Authentication server, the active port
being used is set to unauthorized.
Waters Network Systems User's Manual

GSM-2108/GSM-1008SFP

Page 85