Reference Guide

ManualsBrandsDell ManualsComputer equipmentForce10 Z9000

70 | 802.1X

www.dell.com | support.dell.com

Figure 5-1. EAPOL Frame Format

The authentication process involves three devices:

• The device attempting to access the network is the supplicant. The supplicant is not allowed to

communicate on the network until the port is authorized by the authenticator. It can only communicate

with the authenticator in response to 802.1X requests.

• The device with which the supplicant communicates is the authenticator. The authenicator is the gate

keeper of the network. It translates and forwards requests and responses between the authentication

server and the supplicant. The authenticator also changes the status of the port based on the results of

the authentication process. The Dell Force10switch is the authenticator.

• The authentication-server selects the authentication method, verifies the information provided by the

supplicant, and grants it network access privileges.

Ports can be in one of two states:

• Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in

or out of the port.

• The authenticator changes the port state to authorized if the server can authenticate the supplicant. In

this state, network traffic can be forwarded normally.

The Port-authentication Process

The authentication process begins when the authenticator senses that a link status has changed from down

to up:

1. When the authenticator senses a link state change, it requests that the supplicant identify itself using an

EAP Identity Request Frame.

2. The supplicant responds with its identity in an EAP Response Identity frame.

Note: The Dell Force10 switches place 802.1X-enabled ports in the unauthorized state by default.

Preamble

Start Frame

Delimiter

Destination MAC

(1:80:c2:00:00:03)

Source MAC

(Auth Port MAC)

Ethernet Type

(0x888e)

Protocol Version

(1)

Packet Type

EAPOL Frame

Length

Code

(0-4)

(Seq Number)

EAP-Method Frame

Length

EAP-Method

Code

(0-255)

Length

EAP-Method Data

(Supplicant Requested Credentials)

Range: 0-4

Type: 0: EAP Packet

1: EAPOL Start

2: EAPOL Logoff

3: EAPOL Key

4: EAPOL Encapsulated-ASF-Alert

Range: 0-4

Type: 0: EAP Packet

1: EAPOL Start

2: EAPOL Logoff

3: EAPOL Key

4: EAPOL Encapsulated-ASF-Alert

EAP Frame

Padding

FCS

Range: 1-4

Codes: 1: Request

2: Response

3: Success

4: Failure

Range: 1-255

Codes: 1: Identity

2: Notification

3: NAK

4: MD-5 Challenge

5: One-Time Challenge

6: Generic Token Card