Specifications

Waters Network Systems User’s Manual Page 83
GSM-2108/GSM-1008SFP
5.21 802.1X Configuration
802.1X port-based network access control provides a method to restrict users to access
network resources via authenticating user’s information. This restricts users from gaining access
to the network resources through a 802.1X-enabled port without authentication. To access the
network through a port under 802.1X control, you must first input your account name for
authentication and wait to gain authorization before sending or receiving any packets from a
802.1X-enabled port.
Before the devices or workstations can access the network resources through the ports under
802.1X control, the devices or workstations must send an authentication request to the
authenticator. The authenticator passes the request to the authentication server to authenticate
and verify, and the server informs the authenticator to grant the request for authorization for the
ports.
According to IEEE 802.1X, there are three components are implemented:
Supplicant
Authenticator
Authentication server shown in Figure 5.52.
Supplicant:
An entity authenticated by an authenticator. Used to communicate with the Authenticator PAE
(Port Access Entity) by exchanging the authentication message when the Authenticator PAE
performs a request.
Authenticator:
An entity facilitates the authentication of the supplicant entity. It controls the state of the port,
authorized or unauthorized, according to the result of authentication message exchanged
between it and a supplicant PAE. The authenticator may request the supplicant to re-
authenticate itself at a configured time period. Once re-authenticating has begun, the
controlled port remains in the authorized state until re-authentication fails.
A port acting as an authenticator is thought to be two logical ports, a controlled port and an
uncontrolled port. A controlled port can only pass packets when the authenticator PAE is
authorized. Otherwise, an uncontrolled port will unconditionally pass the packets with PAE
group MAC address, which has the value of 01-80-c2-00-00-03 and will not be forwarded by
MAC bridge, at any time.
Authentication server:
A device provides authentication service, through EAP, to an authenticator by using
authentication credentials supplied by the supplicant to determine if the supplicant is
authorized to access the network resource.
The overview of operation flow for the Figure 5.52 is quite simple. When Supplicant PAE
issues a request to Authenticator PAE, Authenticator and Supplicant exchanges
authentication message. Then, Authenticator passes the request to RADIUS server to verify.
Finally, RADIUS server replies if the request is granted or denied.
During the authentication process, the message packets, encapsulated by Extensible
Authentication Protocol over LAN (EAPOL), are exchanged between an authenticator PAE
and a supplicant PAE. The Authenticator exchanges the message to authentication server
using EAP encapsulation. Before successfully authenticating, the supplicant can only touch