Open as PDF
7–2 MULTILINK ML1600 ETHERNET COMMUNICATIONS SWITCH – INSTRUCTION MANUAL
INTRODUCTION TO 802.1X CHAPTER 7: ACCESS USING RADIUS
access to services that are accessible via that port. The authenticator is responsible for
communication with the supplicant and for submitting the information received from the
supplicant to a suitable authentication server. This allows the verification of user
credentials to determine the consequent port authorization state. It is important to note
that the authenticator's functionality is independent of the actual authentication method.
It effectively acts as a pass-through for the authentication exchange.
FIGURE 7–1: 802.1x network components
The RADIUS server is the authentication server. The authentication server provides a
standard way of providing Authentication, Authorization, and Accounting services to a
network. Extensible Authentication Protocol (EAP) is an authentication framework which
supports multiple authentication methods. EAP typically runs directly over data link layers
such as PPP or IEEE 802, without requiring IP. EAP over LAN (EAPOL) encapsulates EAP
packets onto 802 frames with a few extensions to handle 802 characteristics. EAP over
RADIUS encapsulates EAP packets onto RADIUS packets for relaying to RADIUS
The details of the 802.1x authentication are as follows.
1. The supplicant (host) is initially blocked from accessing the network. The
supplicant wanting to access these services starts with an EAPOL-Start frame.
2. The authenticator (MultiLink switch), upon receiving an EAPOL-start frame,
sends a response with an EAP-Request/Identity frame back to the supplicant.
This will inform the supplicant to provide its identity.
3. The supplicant then sends back its own identification using an EAP-Response/
Identity frame to the authenticator (MultiLink switch.) The authenticator then
relays this to the authentication server by encapsulating the EAP frame on a
4. The RADIUS server will then send the authenticator a RADIUS-Access-
5. The authenticator (MultiLink switch) will relay this challenge to the supplicant
using an EAP-Request frame. This will request the supplicant to pass its
credentials for authentication.
6. The supplicant will send its credentials using an EAP-Response packet.
7. The authenticator will relay using a RADIUS-Access-Request packet.
8. If the supplicant's credentials are valid, RADIUS-Access-Accept packet is sent
to the authenticator.
9. The authenticator will then relay this on as an EAP-Success and provides
access to the network.