User`s guide
AT-S39 User’s Guide
201
Port Access Control Overview
The AT-S39 software’s IEEE 802.1X-based Port Access Control feature is a
client-server-based access control and authentication protocol that
restricts unauthorized clients who attempt to connect to a network
through accessible, local ports. When Port Access Control is enabled, the
authentication server authenticates each client connected to a port
before making available the network or any services offered by the
switch.
The following sections describe the following device roles in EEE 802.1X
port-based authentication:
❑ Client
❑ Switch
❑ Authentication Server
Client The client is the device that requests access to the network and switch
and responds to requests from the switch.In the IEEE 802.1X
specification, the client is referred to a s the supplicant.
Switch When Port Access Control is enabled, the switch controls access to the
network based on the authentication status of the client. The switch acts
as an intermediary between the client and the authentication server,
identity information is requested from the client, the information is
verified with the authentication server, and a response is relayed to the
client. In the IEEE 802.1X specification, the switch is referred to a s the
authenticator.
Authentication
Server
The authentication server authenticates the identity of the client. After
the identity of the client has been validated, the authentication server
notifies the switch whether or not the client is authorized to access the
network.
Because the switch is the intermediary, the authentication server is
transparent to the client. Remote Authentication Dial-In User Service
(RADIUS) with Extensible Authentication Protocol (EAP) extensions is the
only supported authentication server. For more information on RADIUS,
refer to TACACS+ and RADIUS Protocols on page 191.
When the switch receives frames and relays them to the authentication
server, the Ethernet header is stripped and the remaining EAP frame is
reencapsulated in the RADIUS format. When the switch receives frames
from the authentication server, the server's frame header is removed,
leaving the EAP frame, which is then encapsulated for Ethernet and sent
to the client.