VigorSwitch P2260 User’s Guide
79
According to IEEE802.1X, there are three components implemented. They are
Authenticator, Supplicant and Authentication server shown in figure below.
Supplicant:
It is an entity being authenticated by an authenticator. It is used to communicate with the
Authenticator PAE (Port Access Entity) by exchanging the authentication message when
the Authenticator PAE request to it.
Authenticator:
An entity facilitates the authentication of the supplicant entity. It controls the state of the
port, authorized or unauthorized, according to the result of authentication message
exchanged between it and a supplicant PAE. The authenticator may request the supplicant
to re-authenticate itself at a configured time period. Once start re-authenticating the
supplicant, the controlled port keeps in the authorized state until re-authentication fails.
A port acting as an authenticator is thought to be two logical ports, a controlled port and an
uncontrolled port. A controlled port can only pass the packets when the authenticator PAE
is authorized, and otherwise, an uncontrolled port will unconditionally pass the packets
with PAE group MAC address, which has the value of 01-80-c2-00-00-03 and will not be
forwarded by MAC bridge, at any time.
Authentication server:
A device provides authentication service, through EAP, to an authenticator by using
authentication credentials supplied by the supplicant to determine if the supplicant is
authorized to access the network resource.
The overview of operation flow for the Fig. 3-52 is quite simple. When Supplicant PAE
issues a request to Authenticator PAE, Authenticator and Supplicant exchanges
authentication message. Then, Authenticator passes the request to RADIUS server to verify.
Finally, RADIUS server replies if the request is granted or denied.
While in the authentication process, the message packets, encapsulated by Extensible
Authentication Protocol over LAN (EAPOL), are exchanged between an authenticator PAE
and a supplicant PAE. The Authenticator exchanges the message to authentication server
using EAP encapsulation. Before successfully authenticating, the supplicant can only touch
the authenticator to perform authentication message exchange or access the network from
the uncontrolled port.