Chapter 65 Port Authentication
GS1920v2 Series User’s Guide
419
Sent by a switch requesting authentication.
• Access-Reject
Sent by a RADIUS server rejecting access.
• Access-Accept
Sent by a RADIUS server allowing access.
• Access-Challenge
Sent by a RADIUS server requesting more information in order to allow access. The switch sends a proper
response from the user and then sends another Access-Request message.
The following types of RADIUS messages are exchanged between the switch and the RADIUS server for
user accounting:
• Accounting-Request
Sent by the switch requesting accounting.
• Accounting-Response
Sent by the RADIUS server to indicate that it has started or stopped accounting.
The switch and the RADIUS server use a shared secret key, which is a password, they both know to
authenticate the communications between them, and ensure network security. A shared key is not sent
over the network.
The switch forwards the RADIUS requests of a client to the RADIUS server. The login password information
exchanged is sent over the network and encrypted to protect the network from unauthorized access.
65.5.3 EAP (Extensible Authentication Protocol) Authentication
This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP.
Your wired LAN device may not support all authentication types.
EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE 802.1x
transport mechanism in order to support multiple types of user authentication. By using EAP to interact
with an EAP-compatible RADIUS server, a switch helps a wired station and a RADIUS server perform
authentication.
The type of authentication you use depends on the RADIUS server and an intermediary switch that
supports IEEE 802.1x.
For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the
certificates from a certificate authority (CA). A certificate (also called digital IDs) can be used to
authenticate users and a CA issues certificates and guarantees the identity of each certificate owner.
• EAP-MD5 (Message-Digest Algorithm 5)
MD5 authentication is the simplest one-way authentication method. The authentication server sends a
challenge to the wired client. The wired client ‘proves’ that it knows the password by encrypting the
password with the challenge and sends back the information. Password is not sent in plain text.
To Next Page
Loading...
