Example of the authentication process

Suppose that you have configured a port on the switch for 802.1X authentication operation, which blocks access to the LAN through that port. If you then connect an 802.1X-aware client (supplicant) to the port and attempt to log on:

  1. The switch responds with an identity request.

  2. The client responds with a user name that uniquely defines this request for the client.

  3. The switch responds in one of the following ways:

    • If 802.1X on the switch is configured for RADIUS authentication, the switch then forwards the request to a RADIUS server.

      1. The server responds with an access challenge which the switch forwards to the client.

      2. The client then provides identifying credentials (such as a user certificate), which the switch forwards to the RADIUS server.

      3. The RADIUS server then checks the credentials provided by the client.

      4. If the client is successfully authenticated and authorized to connect to the network, then the switch allows access to the client. Otherwise, access is denied and the port remains blocked for that client.

    • If 802.1X on the switch is configured for local authentication, then:

      1. The switch compares the client credentials to the username and password configured in the switch (operator level).

      2. If the client is successfully authenticated and authorized to connect to the network, then the server notifies the switch to allow access to the client. Otherwise, access is denied and the port remains blocked.

NOTE:

Aruba switches use either 802.1X port-based authentication or 802.1X user-based authentication. For more information, see User authentication methods.