Local authentication, Local authentication 38 – Intel BLADE SERVER IXM5414E Manuale d'uso

38

Intel® Blade Server Ethernet Switch Module IXM5414E: Installation and User’s Guide:A Guide for Technically

In User Service (RADIUS). These mechanisms are used to authenticate user access to the switch
module and conform to the specifications in IEEE 802.1X.

Port-based network access control makes use of the physical characteristics of LAN infrastructures
to provide a means of authenticating and authorizing devices attached to a LAN port. Port-based
network access control prevents access to the port in cases in which the authentication and
authorization process fails.

Access control is achieved by enforcing authentication of entities seeking access to a port on the
switch module. These entities are referred to as supplicants. The result of the authentication process
determines whether the supplicant is authorized to access services on that controlled port.

A Port Access Entity (PAE) can adopt two different roles in an access control interaction:

Authenticator

A port that enforces authentication before allowing access.

Supplicant

A port that attempts to access services offered by an authenticator.

Additionally, there is a third role:

Authentication server

Performs the authentication function necessary to check the credentials of the
Supplicant on behalf of the Authenticator.

All three roles are required to complete the authentication process.

The IXM5414E switch module operates in the authenticator role only. The authenticator PAE is
responsible for submitting information received from the supplicant to the authentication server in
order for the credentials to be checked, which will determine the authorization state of the port. The
authenticator PAE controls the authorized/unauthorized state of the controlled port depending on the
outcome of the authentication process. Authentication messages use the Extensible Authentication
Protocol (EAP).

A port may take one of two states:

Controlled

Traffic will only be exchanged if the port is in the Authorized state.

Uncontrolled

Allows the uncontrolled exchange of EAP over IEEE 802 LANs (EAPoL) PDUs
between the Authenticator and Supplicant.

A controlled port is configured by management to be in one of three states:

ForceUnauthorized

The port is set to the unauthorized state.

ForceAuthorized

The port is set to the authorized state.

Auto

The port’s state will be set based on the outcome of authentication exchanges
between the Supplicant, Authenticator and the Authentication server. This is the
default port state when port-based access control is enabled.

Local authentication

Local authentication matches a user ID/password combination received from the supplicant to the
switch module’s local database. The switch module will transmit an EAP-Request/Identity packet to
the supplicant to obtain the combination, and if a match is found will then send an EAP-
Request/MD5 packet to the supplicant. The supplicant’s MD5 response is sent to the authenticator
for validation. A match results in a successful authentication of the port.