Configuring Port-Based and Client-Based Access Control (802.1X)
Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches
1. When port A1 on switch “A” is first connected to a port on switch “B”, or
if the ports are already connected and either switch reboots, port A1
begins sending start packets to port B5 on switch “B”.
• If, after the supplicant port sends the configured number of start
packets, it does not receive a response, it assumes that switch “B” is
not 802.1X-aware, and transitions to the authenticated state. If switch
“B” is operating properly and is not 802.1X-aware, then the link should
begin functioning normally, but without 802.1X security.
• If, after sending one or more start request packets, port A1 receives
a request packet from port B5, then switch “B” is operating as an
802.1X authenticator. The supplicant port then sends a response/ID
packet. If switch “B” is configured for RADIUS authentication, it
forwards this request to a RADIUS server. If switch “B” is configured
for Local 802.1X authentication, the authenticator compares the
switch “A” response to its local username and password.
2. The RADIUS server then responds with an MD5 access challenge that
switch “B” forwards to port A1 on switch “A”.
3. Port A1 replies with an MD5 hash response based on its username and
password or other unique credentials. Switch “B” forwards this response
to the RADIUS server.
4. The RADIUS server then analyzes the response and sends either a “suc-
cess” or “failure” packet back through switch “B” to port A1.
• A “success” response unblocks port B5 to normal traffic from port A1.
• A “failure” response continues the block on port B5 and causes port
A1 to wait for the “held-time” period before trying again to achieve
authentication through port B5.
Not e A switch port can operate as both a supplicant and an authenticator at the
same time. However, as mentioned at the beginning of this section, 5300xl
switches running software release E.09.xx or greater are not recommended
as authenticators for ports configured as supplicants on other switches.
10-39
To Next Page
Loading...
