Figure 174 8021x Message Exchange

Supplicant

[View full size image]

Authentic ator

Au then (¡cation Server

[View full size image]

Authentic ator

Au then (¡cation Server

Port Unauthorized

Port Unauthorized

EAPOL-Slan

EAP-HequSSVItlenlity

EAP-fle-iports&.id&mity EAP.ftequesvOTP

EAP-RestMnM'OTP

EAP-Success

fWDlUS Aocess-fiflqLiisi

flAOlUS AKMSS-Ctwilanga

HAOJUS Aiwess-Hequest

RADIUS Access-Awepl

EAP-Legûii

Port unauthorized

1. The authenticator sends an EAP-Request/Identity packet to the supplicant as soon as it detects that the link is active (for example, the client has connected to a switch port).

2. The supplicant sends an EAP-Response/Identity packet to the authenticator, which is then passed on to the authentication (RADIUS) server. Communications between the supplicant and authentication server also leverage the RADIUS protocol carried over standard User Datagram

Protocol (UDP).

3. The authentication server sends back a challenge to the authenticator, such as with a token password system. The authenticator unpacks this from IP and repackages it into EAPOL and sends it to the supplicant. Different authentication methods will vary this message and the total number of messages. EAP supports client-only authentication and strong mutual authentication. Only strong mutual authentication is considered appropriate in a wireless environment.

4. The supplicant responds to the challenge via the authenticator and passes the response on to the authentication server.

5. If the supplicant provides proper identity, the authentication server responds with a success message, which is then passed on to the supplicant. The authenticator now allows access to the LAN, possibly restricted based on attributes that came back from the authentication server. For example, the authenticator might switch the supplicant to a particular VLAN or install a set of access control rules.

0 0

Post a comment