966 BigIron RX Series Configuration Guide
53-1002253-01
How 802.1x port security works
33
FIGURE 126 Controlled and uncontrolled ports before and after client authentication
Before a Client is authenticated, only the uncontrolled port on the Authenticator is open. The
uncontrolled port allows only EAPOL frames to be exchanged between the Client and the
Authentication Server. The controlled port is in the unauthorized state and allows no traffic to pass
through.
During authentication, EAPOL messages are exchanged between the Supplicant PAE and the
Authenticator PAE, and RADIUS messages are exchanged between the Authenticator PAE and the
Authentication Server. Refer to “Message exchange during authentication” on page 966 for an
example of this process. If the Client is successfully authenticated, the controlled port becomes
authorized, and traffic from the Client can flow through the port normally.
By default, all controlled ports on the BigIron RX are placed in the authorized state, allowing all
traffic. When authentication is activated on an 802.1x-enabled interface, the interface’s controlled
port is placed initially in the unauthorized state. When a Client connected to the port is successfully
authenticated, the controlled port is then placed in the authorized state until the Client logs off.
Refer to “Enabling 802.1x port security” on page 976 for more information.
Message exchange during authentication
Figure 127 illustrates a sample exchange of messages between an 802.1x-enabled Client, a
BigIron RX acting as Authenticator, and a RADIUS server acting as an Authentication Server.
Authentication
Server
Authentication
Server
BigIron Device
(Authenticator)
BigIron Device
(Authenticator)
802.1X-Enabled
Supplicant
802.1X-Enabled
Supplicant
PAE
PAE
PAE
PAE
Services
Services
Uncontrolled Port
Physical Port
Controlled Port
(Unauthorized)
Uncontrolled Port
Controlled Port
(Authorized)
Physical Port
Before Authentication
After Authentication
To Next Page
Loading...
