General 802.1X Authenticator Operation; Example Of The Authentication Process - HP ProCurve 2810 Series Access Security Manual

Configuring Port-Based and Client-Based Access Control (802.1X)

General 802.1X Authenticator Operation

8-10

General 802.1X Authenticator Operation

This operation provides security on a direct, point-to-point link between a
single client and the switch, where both devices are 802.1X-aware. (If you
expect desirable clients that do not have the necessary 802.1X supplicant
software, you can provide a path for downloading such software by using the
802.1X Open VLAN mode—refer to "802.1X Open VLAN Mode" on page 8-26.)

Example of the Authentication Process

Suppose that you have configured a port on the switch for 802.1X authentica-
tion operation. If you then connect an 802.1X-aware client (supplicant) to the
port and attempt to log on:
1. When the switch detects the client on the port, it blocks access to the LAN
from that port.
2. The switch responds with an identity request.
3. The client responds with a user name that uniquely defines this request
for the client.
4. The switch responds in one of the following ways:
• If 802.1X (port-access) on the switch is configured for RADIUS
authentication, the switch then forwards the request to a RADIUS
server.
i. The server responds with an access challenge which the switch
forwards to the client.
ii. The client then provides identifying credentials (such as a user
certificate), which the switch forwards to the RADIUS server.
iii. The RADIUS server then checks the credentials provided by the
client.
iv. If the client is successfully authenticated and authorized to con-
nect to the network, then the server notifies the switch to allow
access to the client. Otherwise, access is denied and the port
remains blocked.