Quick Reference Guide

ManualsBrandsDell ManualsComputer equipmentPowerConnect B-TI24x

961

962

963

964

965

966

967

968

969

970

PowerConnect B-Series TI24X Configuration Guide 929

53-1002269-02

How 802.1X port security works

Message exchange during authentication

Figure 120 illustrates a sample exchange of messages between an 802.1X-enabled Client, a

switch acting as Authenticator, and a RADIUS server acting as an Authentication Server.

FIGURE 120 Message exchange between client/supplicant, authenticator, and authentication

server

In this example, the Authenticator initiates communication with an 802.1X-enabled Client. When

the Client responds, it is prompted for a username (48 characters maximum) and password. The

Authenticator passes this information to the Authentication Server, which determines whether the

Client can access services provided by the Authenticator. When the Client is successfully

authenticated by the RADIUS server, the port is authorized. When the Client logs off, the port

becomes unauthorized again.

The Dell 802.1X implementation supports dynamic VLAN assignment. If one of the attributes in the

Access-Accept message sent by the RADIUS server specifies a VLAN identifier, and this VLAN is

available on the device, the client port is moved from its default VLAN to the specified VLAN. When

the client disconnects from the network, the port is placed back in its default VLAN.Refer to

“Configuring dynamic VLAN assignment for 802.1X ports” on page 938 for more information.

If a Client does not support 802.1X, authentication cannot take place. The device sends

EAP-Request/Identity frames to the Client, but the Client does not respond to them.

When a Client that supports 802.1X attempts to gain access through a non-802.1X-enabled port, it

sends an EAP start frame to the device. When the device does not respond, the Client considers

the port to be authorized, and starts sending normal traffic.

Devices support Identity and MD5-challenge requests in EAP Request/Response messages.

NOTE

Refer to also “EAP pass-through support” on page 930.

RADIUS Server

(Authentication Server)

Client/Supplicant

Port Unauthorized

EAP-Response/Identity

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5-Challenge

EAP-Success

EAP-Logoff

Port Authorized

Port Unauthorized

RADIUS Access-Request

RADIUS Access-Challenge

RADIUS Access-Request

RADIUS Access-Accept

Switch

(Authenticator)