Cisco WS-C4003 Software Guide - Page 361
Understanding How 802.1x Authentication Works
View all Cisco WS-C4003 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 361 highlights
Chapter 27 Configuring Switch Access Using AAA Understanding How Authentication Works Note A non-Kerberized login can be performed through a modem or terminal server through the in-band management port. Telnet does not support non-Kerberized login. If a non-Kerberized login is launched, the following process takes place: 1. The switch prompts you for a username and password. 2. The switch requests a TGT from the KDC so that you can be authenticated to the switch. 3. The KDC sends an encrypted TGT to the switch, which contains your identity, KDC's identity, and TGT's expiration time. 4. The switch tries to decrypt the TGT with the password that you entered. If the decryption is successful, you are authenticated to the switch. 5. If you want to access other network services, the KDC must be contacted directly for authentication. To obtain the TGT, you can run the program "kinit," the client software provided with the Kerberos package. Figure 27-2 illustrates the non-Kerberized login process. Figure 27-2 Non-Kerberized Telnet Connection Host (Telnet client) Kerberos server (contains KDC) 1 2 3 55510 Catalyst switch Understanding How 802.1x Authentication Works IEEE 802.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a local area network (LAN) through publicly accessible ports. 802.1x authenticates each user device connected to a switch port before making available any services offered by the switch or the LAN. Until the device is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the device is connected. After authentication is successful, normal traffic can pass through the port. 802.1x controls network access by the creating two distinct virtual access points at each port. One access point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available to both access points. Only EAPOL traffic is allowed to pass through the uncontrolled port, which is always open. The controlled port is open only when the device connected to the port has been authorized by 802.1x. After this authorization takes place, the controlled port opens, allowing normal traffic to pass. 78-12647-02 Software Configuration Guide-Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 27-7