Chapter 4: Web management
190
NS3550-8T-2S Industrial Managed Switch User Manual
connected to a switch port before making any services offered by the switch or the LAN
available.
Until the client is authenticated, 802.1X access control allows only Extensible
Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is
connected. After authentication is successful, normal traffic can pass through the port.
Device roles
With 802.1X port-based authentication, the devices in the network have specific roles
as shown below.
•
Client
– The device (workstation) that requests access to the LAN and switch
services and responds to requests from the switch. The workstation must be running
802.1X-compliant client software such as that offered in the Microsoft operating
systems (the client is the supplicant in the IEEE 802.1X specification).
•
Authentication server
– Performs the actual authentication of the client. The
authentication server validates the identity of the client and notifies the switch if the
client is authorized to access the LAN and switch services. Because the switch acts
as the proxy, the authentication service is transparent to the client. In this release,
the Remote Authentication Dial-In User Service (RADIUS) security system with
Extensible Authentication Protocol (EAP) extensions is the only supported
authentication server, which is available in the Cisco Secure Access Control Server
version 3.0. RADIUS operates in a client/server model in which secure
authentication information is exchanged between the RADIUS server and one or
more RADIUS clients.
•
Switch (802.1X device)
– Controls the physical access to the network based on the
authentication status of the client. The switch acts as an intermediary (proxy)
between the client and the authentication server, requesting identity information
from the client, verifying that information with the authentication server, and relaying
a response to the client. The switch includes the RADIUS client, which is
responsible for encapsulating and decapsulating the Extensible Authentication
Protocol (EAP) frames and interacting with the authentication server. When the