Manualshelf

Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4048-ON
81828384858687888990
The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until
the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests.
The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network. It
translates and forwards requests and responses between the authentication server and the supplicant. The authenticator also changes
the status of the port based on the results of the authentication process. The Dell EMC Networking switch is the authenticator.
The authentication-server selects the authentication method, verifies the information the supplicant provides, and grants it network
access privileges.
Ports can be in one of two states:
Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in or out of the port.
The authenticator changes the port state to authorized if the server can authenticate the supplicant. In this state, network traffic can
be forwarded normally.
NOTE: The Dell EMC Networking switches place 802.1X-enabled ports in the unauthorized state by default.
Topics:
Port-Authentication Process
Configuring 802.1X
Important Points to Remember
Enabling 802.1X
Configuring dot1x Profile
Configuring MAC addresses for a do1x Profile
Configuring the Static MAB and MAB Profile
Configuring Critical VLAN
Configuring Request Identity Re-Transmissions
Forcibly Authorizing or Unauthorizing a Port
Re-Authenticating a Port
Configuring Timeouts
Configuring Dynamic VLAN Assignment with Port Authentication
Guest and Authentication-Fail VLANs
Port-Authentication Process
The authentication process begins when the authenticator senses that a link status has changed from down to up:
1. When the authenticator senses a link state change, it requests that the supplicant identify itself using an EAP Identity Request frame.
2. The supplicant responds with its identity in an EAP Response Identity frame.
3. The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame and
forwards the frame to the authentication server.
4. The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests the supplicant to prove that
it is who it claims to be, using a specified method (an EAP-Method). The challenge is translated and forwarded to the supplicant by
the authenticator.
5. The supplicant can negotiate the authentication method, but if it is acceptable, the supplicant provides the Requested Challenge
information in an EAP response, which is translated and forwarded to the authentication server as another Access-Request frame.
6. If the identity information provided by the supplicant is valid, the authentication server sends an Access-Accept frame in which
network privileges are specified. The authenticator changes the port state to authorized and forwards an EAP Success frame. If the
identity information is invalid, the server sends an Access-Reject frame. If the port state remains unauthorized, the authenticator
forwards an EAP Failure frame.
802.1X
83