DES-7200 Configuration Guide Chapter 4 802.1x Configuration
4-3
authentication status of that client. Between the client and server, this device plays the role of a
mediator, which requests the client for username, verifies the authentication information from
the server, and forwards it to the client. Therefore, the switch acts as both the IEEE802.1x
authenticator and the RADIUS Client, so it is referred to as the network access server (NAS). It
encapsulates the acknowledgement received from the client into the RADIUS format packets
and forwards them to the RADIUS Server, while resolving the information received from the
RADIUS Server and forwards the information to the client.
The device acting as the authenticator has two types of ports: controlled Port and uncontrolled
Port. The users connected to a controlled port can only access network resources after
passing the authentication, while those connected to a uncontrolled port can directly access
network resources without authentication. We can control users by simply connecting them to
an controlled port. On the other hand, the uncontrolled port is used to connect the
authentication server, for ensuring normal communication between the server and switch.
Authentication server:
The authentication server is usually an RADIUS server, which works with the authenticator
to provide users with authentication services. The authentication server saves the user name
and password and related authorization information. One server can provide authentication
services for multiple authenticators, thus allowing centralized management of users. The
authentication server also manages the accounting data from the authenticator. Our 802.1x
device is fully compatible with the standard Radius Server, for example, the Radius Server
carried on Microsoft Win2000 Server and the Free Radius Server on Linux.
4.1.2 Authentication Initiation
and Packet Interaction
During Authentication
The supplicant and the authenticator exchange information by EAPOL protocol, while the
authenticator and authentication server exchange information by RADIUS protocol, completing
the authentication process with such a conversion. The EAPOL protocol is encapsulated on
the MAC layer, with the type number of 0x888E. In addition, the standard has required for an
MAC address (01-80-C2-00-00-03) for the protocol for packet exchange during the initial
authentication process.
The following diagram shows a typical authentication process, during which the three role
devices exchange packets with one another.