When doing 802.1X port authentication, how does the switch know how reach the authentication server?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
3
down vote

favorite












So, while I get the supplicant-authenticator-authentication server structure (for the most part), the part that bugs me is the step when the switch starts communicating with the authentication server; the supplicant doesn't know the IP address or the MAC address of the server, and the server is probably on an entirely different network segment so the switch would have to talk to a router and need to know the server's IP---which it doesn't have from the supplicant.



So, how does that work? How does the switch know or discover how to get the authentication traffic to the authentication server?










share|improve this question

























    up vote
    3
    down vote

    favorite












    So, while I get the supplicant-authenticator-authentication server structure (for the most part), the part that bugs me is the step when the switch starts communicating with the authentication server; the supplicant doesn't know the IP address or the MAC address of the server, and the server is probably on an entirely different network segment so the switch would have to talk to a router and need to know the server's IP---which it doesn't have from the supplicant.



    So, how does that work? How does the switch know or discover how to get the authentication traffic to the authentication server?










    share|improve this question























      up vote
      3
      down vote

      favorite









      up vote
      3
      down vote

      favorite











      So, while I get the supplicant-authenticator-authentication server structure (for the most part), the part that bugs me is the step when the switch starts communicating with the authentication server; the supplicant doesn't know the IP address or the MAC address of the server, and the server is probably on an entirely different network segment so the switch would have to talk to a router and need to know the server's IP---which it doesn't have from the supplicant.



      So, how does that work? How does the switch know or discover how to get the authentication traffic to the authentication server?










      share|improve this question













      So, while I get the supplicant-authenticator-authentication server structure (for the most part), the part that bugs me is the step when the switch starts communicating with the authentication server; the supplicant doesn't know the IP address or the MAC address of the server, and the server is probably on an entirely different network segment so the switch would have to talk to a router and need to know the server's IP---which it doesn't have from the supplicant.



      So, how does that work? How does the switch know or discover how to get the authentication traffic to the authentication server?







      routing switch ieee-802.1x






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Sep 13 at 17:15









      Xovvo

      184




      184




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          8
          down vote



          accepted










          The protocol used between switch and authentication server is called RADIUS.



          • The server address (or server addresses) have to be configured on the switch (manually)

          • The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other

          All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.






          share|improve this answer





























            up vote
            5
            down vote













            The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.



            The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).






            share|improve this answer




















              Your Answer







              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "496"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              convertImagesToLinks: false,
              noModals: false,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              noCode: true, onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













               

              draft saved


              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53233%2fwhen-doing-802-1x-port-authentication-how-does-the-switch-know-how-reach-the-au%23new-answer', 'question_page');

              );

              Post as a guest






























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              8
              down vote



              accepted










              The protocol used between switch and authentication server is called RADIUS.



              • The server address (or server addresses) have to be configured on the switch (manually)

              • The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other

              All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.






              share|improve this answer


























                up vote
                8
                down vote



                accepted










                The protocol used between switch and authentication server is called RADIUS.



                • The server address (or server addresses) have to be configured on the switch (manually)

                • The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other

                All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.






                share|improve this answer
























                  up vote
                  8
                  down vote



                  accepted







                  up vote
                  8
                  down vote



                  accepted






                  The protocol used between switch and authentication server is called RADIUS.



                  • The server address (or server addresses) have to be configured on the switch (manually)

                  • The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other

                  All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.






                  share|improve this answer














                  The protocol used between switch and authentication server is called RADIUS.



                  • The server address (or server addresses) have to be configured on the switch (manually)

                  • The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other

                  All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Sep 13 at 17:59









                  jonathanjo

                  6,095323




                  6,095323










                  answered Sep 13 at 17:47









                  Jens Link

                  3,54911315




                  3,54911315




















                      up vote
                      5
                      down vote













                      The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.



                      The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).






                      share|improve this answer
























                        up vote
                        5
                        down vote













                        The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.



                        The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).






                        share|improve this answer






















                          up vote
                          5
                          down vote










                          up vote
                          5
                          down vote









                          The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.



                          The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).






                          share|improve this answer












                          The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.



                          The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered Sep 13 at 17:47









                          Zac67

                          20.4k21047




                          20.4k21047



























                               

                              draft saved


                              draft discarded















































                               


                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53233%2fwhen-doing-802-1x-port-authentication-how-does-the-switch-know-how-reach-the-au%23new-answer', 'question_page');

                              );

                              Post as a guest













































































                              Popular posts from this blog

                              How to check contact read email or not when send email to Individual?

                              Displaying single band from multi-band raster using QGIS

                              How many registers does an x86_64 CPU actually have?