When doing 802.1X port authentication, how does the switch know how reach the authentication server?
Clash Royale CLAN TAG#URR8PPP
up vote
3
down vote
favorite
So, while I get the supplicant-authenticator-authentication server structure (for the most part), the part that bugs me is the step when the switch starts communicating with the authentication server; the supplicant doesn't know the IP address or the MAC address of the server, and the server is probably on an entirely different network segment so the switch would have to talk to a router and need to know the server's IP---which it doesn't have from the supplicant.
So, how does that work? How does the switch know or discover how to get the authentication traffic to the authentication server?
routing switch ieee-802.1x
asked Sep 13 at 17:15
Xovvo
184
add a comment |Â
up vote
3
down vote
favorite
So, while I get the supplicant-authenticator-authentication server structure (for the most part), the part that bugs me is the step when the switch starts communicating with the authentication server; the supplicant doesn't know the IP address or the MAC address of the server, and the server is probably on an entirely different network segment so the switch would have to talk to a router and need to know the server's IP---which it doesn't have from the supplicant.
So, how does that work? How does the switch know or discover how to get the authentication traffic to the authentication server?
routing switch ieee-802.1x
asked Sep 13 at 17:15
Xovvo
184
add a comment |Â
up vote
3
down vote
favorite
up vote
3
down vote
favorite
So, while I get the supplicant-authenticator-authentication server structure (for the most part), the part that bugs me is the step when the switch starts communicating with the authentication server; the supplicant doesn't know the IP address or the MAC address of the server, and the server is probably on an entirely different network segment so the switch would have to talk to a router and need to know the server's IP---which it doesn't have from the supplicant.
So, how does that work? How does the switch know or discover how to get the authentication traffic to the authentication server?
routing switch ieee-802.1x
asked Sep 13 at 17:15
Xovvo
184
So, while I get the supplicant-authenticator-authentication server structure (for the most part), the part that bugs me is the step when the switch starts communicating with the authentication server; the supplicant doesn't know the IP address or the MAC address of the server, and the server is probably on an entirely different network segment so the switch would have to talk to a router and need to know the server's IP---which it doesn't have from the supplicant.
So, how does that work? How does the switch know or discover how to get the authentication traffic to the authentication server?
routing switch ieee-802.1x
routing switch ieee-802.1x
asked Sep 13 at 17:15
Xovvo
184
asked Sep 13 at 17:15
Xovvo
184
asked Sep 13 at 17:15
Xovvo
184
asked Sep 13 at 17:15
Xovvo
184
asked Sep 13 at 17:15
Xovvo
184
184
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
8
down vote
accepted
The protocol used between switch and authentication server is called RADIUS.
- The server address (or server addresses) have to be configured on the switch (manually)
- The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other
All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.
edited Sep 13 at 17:59
jonathanjo
6,095323
answered Sep 13 at 17:47
Jens Link
3,54911315
add a comment |Â
up vote
5
down vote
The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.
The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).
answered Sep 13 at 17:47
Zac67
20.4k21047
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
8
down vote
accepted
The protocol used between switch and authentication server is called RADIUS.
- The server address (or server addresses) have to be configured on the switch (manually)
- The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other
All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.
edited Sep 13 at 17:59
jonathanjo
6,095323
answered Sep 13 at 17:47
Jens Link
3,54911315
add a comment |Â
up vote
8
down vote
accepted
The protocol used between switch and authentication server is called RADIUS.
- The server address (or server addresses) have to be configured on the switch (manually)
- The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other
All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.
edited Sep 13 at 17:59
jonathanjo
6,095323
answered Sep 13 at 17:47
Jens Link
3,54911315
add a comment |Â
up vote
8
down vote
accepted
up vote
8
down vote
accepted
The protocol used between switch and authentication server is called RADIUS.
- The server address (or server addresses) have to be configured on the switch (manually)
- The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other
All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.
edited Sep 13 at 17:59
jonathanjo
6,095323
answered Sep 13 at 17:47
Jens Link
3,54911315
The protocol used between switch and authentication server is called RADIUS.
- The server address (or server addresses) have to be configured on the switch (manually)
- The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other
All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.
edited Sep 13 at 17:59
jonathanjo
6,095323
answered Sep 13 at 17:47
Jens Link
3,54911315
edited Sep 13 at 17:59
jonathanjo
6,095323
edited Sep 13 at 17:59
jonathanjo
6,095323
edited Sep 13 at 17:59
jonathanjo
6,095323
6,095323
answered Sep 13 at 17:47
Jens Link
3,54911315
answered Sep 13 at 17:47
Jens Link
3,54911315
answered Sep 13 at 17:47
Jens Link
3,54911315
3,54911315
add a comment |Â
add a comment |Â
up vote
5
down vote
The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.
The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).
answered Sep 13 at 17:47
Zac67
20.4k21047
add a comment |Â
up vote
5
down vote
The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.
The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).
answered Sep 13 at 17:47
Zac67
20.4k21047
add a comment |Â
up vote
5
down vote
up vote
5
down vote
The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.
The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).
answered Sep 13 at 17:47
Zac67
20.4k21047
The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.
The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).
answered Sep 13 at 17:47
Zac67
20.4k21047
answered Sep 13 at 17:47
Zac67
20.4k21047
answered Sep 13 at 17:47
Zac67
20.4k21047
answered Sep 13 at 17:47
Zac67
20.4k21047
20.4k21047
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53233%2fwhen-doing-802-1x-port-authentication-how-does-the-switch-know-how-reach-the-au%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
