76
special 802.1X frames, known as EAPOL (EAP Over LANs) frames. EAPOL frames
encapsulate EAP PDUs (RFC3748). Frames sent between the switch and the RADIUS
server are RADIUS packets. RADIUS packets also encapsulate EAP PDUs together
with other attributes like the switch's IP address, name, and the supplicant's port
number on the switch. EAP is very flexible, in that it allows for different
authentication methods, like MD5-Challenge, PEAP, and TLS. The important thing is
that the authenticator (the switch) doesn't need to know which authentication
method the supplicant and the authentication server are using, or how many
information exchange frames are needed for a particular method. The switch simply
encapsulates the EAP part of the frame into the relevant type (EAPOL or RADIUS)
and forwards it.
When authentication is complete, the RADIUS server sends a special packet
containing a success or failure indication. Besides forwarding this decision to the
supplicant, the switch uses it to open up or block traffic on the switch port
connected to the supplicant
NOTE: Suppose two backend servers are enabled and that the
server timeout is configured to X seconds (using the AAA
configuration page), and suppose that the first server in the list
is currently down (but not considered dead).
Now, if the supplicant retransmits EAPOL Start frames at a rate
faster than X seconds, then it will never get authenticated,
because the switch will cancel on-going backend authentication
server requests whenever it receives a new EAPOL Start frame
from the supplicant.
And since the server hasn't yet failed (because the X seconds
haven't expired), the same server will be contacted upon the
next backend authentication server request from the switch. This
scenario will loop forever. Therefore, the server timeout should
be smaller than the supplicant's EAPOL Start frame
retransmission rate.
To Next Page
Loading...
