7–2
MULTILINK ML810 MANAGED EDGE SWITCH – INSTRUCTION MANUAL
INTRODUCTION TO 802.1X
CHAPTER 7: ACCESS USING RADIUS
credentials to determine the consequent port authorization state. It is important to note
that the authenticator's functionality is independent of the actual authentication method.
It effectively acts as a pass-through for the authentication exchange.
FIGURE 7–1: 802.1x network components
The RADIUS server is the authentication server. The authentication server provides a
standard way of providing Authentication, Authorization, and Accounting services to a
network. Extensible Authentication Protocol (EAP) is an authentication framework which
supports multiple authentication methods. EAP typically runs directly over data link layers
such as PPP or IEEE 802, without requiring IP. EAP over LAN (EAPOL) encapsulates EAP
packets onto 802 frames with a few extensions to handle 802 characteristics. EAP over
RADIUS encapsulates EAP packets onto RADIUS packets for relaying to RADIUS
authentication servers.
The details of the 802.1x authentication are as follows.
1.
The supplicant (host) is initially blocked from accessing the network. The
supplicant wanting to access these services starts with an EAPOL-Start frame.
2.
The authenticator (MultiLink ML810 Managed Edge Switch), upon receiving an
EAPOL-start frame, sends a response with an EAP-Request/Identity frame
back to the supplicant. This will inform the supplicant to provide its identity.
3.
The supplicant then sends back its own identification using an EAP-Response/
Identity frame to the authenticator (MultiLink ML810 Managed Edge Switch).
The authenticator then relays this to the authentication server by
encapsulating the EAP frame on a RADIUS-Access-Request packet.
4.
The RADIUS server will then send the authenticator a RADIUS-Access-
Challenge packet.
5.
The authenticator (MultiLink ML810 Managed Edge Switch) will relay this
challenge to the supplicant using an EAP-Request frame. This will request the
supplicant to pass its credentials for authentication.
6.
The supplicant will send its credentials using an EAP-Response packet.
7.
The authenticator will relay using a RADIUS-Access-Request packet.
8.
If the supplicant's credentials are valid, RADIUS-Access-Accept packet is sent
to the authenticator.
9.
The authenticator will then relay this on as an EAP-Success and provides
access to the network.
10. If the supplicant does not have the necessary credentials, a RADIUS-Access-
Deny packet is relayed to the supplicant as an EAP-Failure frame. The access
to the network continues to be blocked.