Authenticator:
The authenticator is usually an access device like the switch. The responsibility of the
device is to control the status of the connection of a client to the network according to the
current authentication status of that client. Between the client and server, this device plays
the role of a mediator, which requests the client for username, verifies the authentication
information from the server, and forwards it to the client. Therefore, the switch acts as both
the IEEE802.1X authenticator and the RADIUS Client, so it is referred to as the network
access server (NAS). It encapsulates the acknowledgement received from the client into the
RADIUS format packets and forwards them to the RADIUS Server, while resolving the
information received from the RADIUS Server and forwards the information to the client.
The device acting as the authenticator has two types of ports: controlled Port and
uncontrolled Port. The users connected to a controlled port can only access network
resources before they first pass the authentication, while those connected to an uncontrolled
port can directly access network resources without authentication. We can control users by
simply connecting them to a controlled port. On the other hand, the uncontrolled port is used
to connect the authentication server, for ensuring normal communication between the server
and device.
Authentication server:
The authentication server is usually an RADIUS server, which works with the authenticator
to provide users with authentication services. The authentication server saves the user
name and password and related authentication information. One server can provide
authentication services for multiple authenticators, thus allowing centralized management of
users. The authentication server also manages the accounting data from the authenticator.
Our 802.1X device is fully compatible with the standard Radius Server, for example, the
Radius Server carried on Win2000 Server and the Free Radius Server on Linux.
37.1.2 Authentication Initiation and Packet
Interaction During Authentication
The supplicant and the authenticator exchange information with each other by using the
EAPOL protocol, while the authenticator and authentication server exchange information by
using the RADIUS protocol, completing the authentication process with such a conversion.
The EAPOL protocol is encapsulated on the MAC layer, with the type number of 0x888E. In
addition, the standard has required for an MAC address (01-80-C2-00-00-03) for the
protocol for packet exchange during the initial authentication process.
The following diagram shows a typical authentication process, during which the three role
devices exchange packets with one another.
To Next Page
Loading...
Need help?
General