-28-
The 802.1X authenticator operates as a go-between with the supplicant
and the authentication server to provide services to the network. When
a switch is configured as an authenticator, the ports of the switch must
then be configured for authorization. In an authenticator-initiated port
authorization, a client is powered up or plugs into the port, and the
authenticator port sends an Extensible Authentication Protocol (EAP)
PDU to the supplicant requesting the identification of the supplicant. At
this point in the process, the port on the switch is connected from a
physical standpoint; however, the 802.1X process has not authorized the
port and no frames are passed from the port on the supplicant into the
switching engine. If the PC attached to the switch did not understand the
EAP PDU that it was receiving from the switch, it would not be able to
send an ID and the port would remain unauthorized. In this state, the port
would never pass any user traffic and would be as good as disabled. If
the client PC is running the 802.1X EAP, it would respond to the request
with its configured ID. (This could be a username/password combination
or a certificate.)
After the switch, the authenticator receives the ID from the PC (the sup-
plicant). The switch then passes the ID information to an authentication
server (RADIUS server) that can verify the identification information.
The RADIUS server responds to the switch with either a success or
failure message. If the response is a success, the port will be authorized
and user traffic will be allowed to pass through the port like any switch
port connected to an access device. If the response is a failure, the port
will remain unauthorized and, therefore, unused. If there is no response
from the server, the port will also remain unauthorized and will not pass
any traffic.
The following configuration settings are required in the switch to make
802.1X function work: