Configuration Guide User guide
FastIron Configuration Guide 1793
53-1002494-02
How 802.1X port security works
Message exchange during authentication
Figure 191 illustrates a sample exchange of messages between an 802.1X-enabled Client, a
FastIron switch acting as Authenticator, and a RADIUS server acting as an Authentication Server.
FIGURE 191 Message exchange between client/supplicant, authenticator, and authentication server
In this example, the Authenticator (the FastIron switch) initiates communication with an
802.1X-enabled Client. When the Client responds, it is prompted for a username (255 characters
maximum) and password. The Authenticator passes this information to the Authentication Server,
which determines whether the Client can access services provided by the Authenticator. When the
Client is successfully authenticated by the RADIUS server, the port is authorized. When the Client
logs off, the port becomes unauthorized again.
The Brocade 802.1X implementation supports dynamic VLAN assignment. If one of the attributes
in the Access-Accept message sent by the RADIUS server specifies a VLAN identifier, and this VLAN
is available on the Brocade device, the client port is moved from its default VLAN to the specified
VLAN. When the client disconnects from the network, the port is placed back in its default
VLAN.Refer to “Dynamic VLAN assignment for 802.1X port configuration” on page 1802 for more
information.
If a Client does not support 802.1X, authentication cannot take place. The Brocade device sends
EAP-Request/Identity frames to the Client, but the Client does not respond to them.
When a Client that supports 802.1X attempts to gain access through a non-802.1X-enabled port, it
sends an EAP start frame to the Brocade device. When the device does not respond, the Client
considers the port to be authorized, and starts sending normal traffic.
Brocade devices support Identity and MD5-challenge requests in EAP Request/Response
messages as well as the following 802.1X authentication challenge types:
NOTE
Refer to also “EAP pass-through support” on page 1795.
RADIUS Server
(Authentication Server)
Client/Supplicant
Port Unauthorized
EAP-Response/Identity
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/MD5-Challenge
EAP-Success
EAP-Logoff
Port Authorized
Port Unauthorized
RADIUS Access-Request
RADIUS Access-Challenge
RADIUS Access-Request
RADIUS Access-Accept
FastIron Switch
(Authenticator)