TGPS-9164GT-M12 Series User
Manual
ORing Industrial Networking Corp
130
the port link is up, and any client on the port will be disallowed
network access.
Port-based 802.1X
In an 802.1X network environment, the user is called the
supplicant, the switch is the authenticator, and the RADIUS server
is the authentication server. The authenticator acts as the
man-in-the-middle, forwarding requests and responses between
the supplicant and the authentication server. Frames sent
between the supplicant and the switch are special 802.1X frames,
known as EAPOL (EAP Over LANs) frames which encapsulate
EAP PDUs (RFC3748). Frames sent between the switch and the
RADIUS server is RADIUS packets. RADIUS packets also
encapsulate EAP PDUs together with other attributes like the
switch's IP address, name, and the supplicant's port number on
the switch. EAP is very flexible as it allows for different
authentication methods, like MD5-Challenge, PEAP, and TLS.
The important thing is that the authenticator (the switch) does not
need to know which authentication method the supplicant and the
authentication server are using, or how many information
exchange frames are needed for a particular method. The switch
simply encapsulates the EAP part of the frame into the relevant
type (EAPOL or RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a
special packet containing a success or failure indication. Besides
forwarding the result to the supplicant, the switch uses it to open
up or block traffic on the switch port connected to the supplicant.
Note: in an environment where two backend servers are enabled,
the server timeout is configured to X seconds (using the
authentication configuration page), and the first server in the list is
currently down (but not considered dead), if the supplicant
retransmits EAPOL Start frames at a rate faster than X seconds, it
will never be authenticated because the switch will cancel
on-going backend authentication server requests whenever it
receives a new EAPOL Start frame from the supplicant. Since the
server has not failed (because the X seconds have not expired),
the same server will be contacted when the next backend
authentication server request from the switch This scenario will