CHAPTER 7: ACCESS USING RADIUS INTRODUCTION TO 802.1X
MULTILINK ML1600 ETHERNET COMMUNICATIONS SWITCH – INSTRUCTION MANUAL 7–3
10. If the supplicant does not have the necessary credentials, a RADIUS-Access-
Deny packet is relayed to the supplicant as an EAP-Failure frame. The access
to the network continues to be blocked.
FIGURE 7–2: 802.1x authentication details
The ML1600 software implements the 802.1x authenticator. It fully conforms to the
standards as described in IEEE 802.1x, implementing all the state machines needed for
port-based authentication. The ML1600 software authenticator supports both EAPOL and
EAP over RADIUS to communicate to a standard 802.1x supplicant and RADIUS
authentication server.
The ML1600 software authenticator has the following characteristics:
• Allows control on ports using STP-based hardware functions. EAPOL frames are
Spanning Tree Protocol (STP) link Bridge PDUs (BPDU) with its own bridge multicast
address.
• Relays MD5 challenge (although not limited to) authentication protocol to RADIUS
server
• Limits the authentication of a single host per port
• The MultiLink switch provides the IEEE 802.1x MIB for SNMP MGMNT.
754715A1.CDR
802.1x switch
u
Port Connected
Access Blocked
EAP RequestId
v
w
RADIUS AccessRequest
x
RADIUS AccessChallenge
{
RADIUS AccessRequest
RADIUS AccessAccept
|
Access Allowed
EAPOL E A P over RADIUS
EAP Request
y
EAP Response
z
EAP Success
}