Filter
Top Products
Alteon OS Application Guide
70
Chapter 2: Port-based Network Access Control 42C4911, January 2007
EAPoL Message Exchange
During authentication, EAPOL messages are exchanged between the client and the GbESM
authenticator, while RADIUS-EAP messages are exchanged between the GbESM authentica-
tor and the RADIUS server.
Authentication is initiated by one of the following methods:
GbESM authenticator sends an EAP-Request/Identity packet to the client
Client sends an EAPOL-Start frame to the GbESM authenticator, which responds with an
EAP-Request/Identity frame.
The client confirms its identity by sending an EAP-Response/Identity frame to the GbESM
authenticator, which forwards the frame encapsulated in a RADIUS packet to the server.
The RADIUS authentication server chooses an EAP-supported authentication algorithm to
verify the client’s identity, and sends an EAP-Request packet to the client via the GbESM
authenticator. The client then replies to the RADIUS server with an EAP-Response containing
its credentials.
Upon a successful authentication of the client by the server, the 802.1x-controlled port transi-
tions from unauthorized to authorized state, and the client is allowed full access to services
through the controlled port. When the client later sends an EAPOL-Logoff message to the
GbESM authenticator, the port transitions from authorized to unauthorized state.
If a client that does not support 802.1x connects to an 802.1x-controlled port, the GbESM
authenticator requests the client's identity when it detects a change in the operational state of
the port. The client does not respond to the request, and the port remains in the unauthorized
state.
NOTE – When an 802.1x-enabled client connects to a port that is not 802.1x-controlled, the cli-
ent initiates the authentication process by sending an EAPOL-Start frame. When no response is
received, the client retransmits the request for a fixed number of times. If no response is
received, the client assumes the port is in authorized state, and begins sending frames, even if
the port is unauthorized.