When doing 802.1X port authentication, how does the switch know how reach the authentication server?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












So, while I get the supplicant-authenticator-authentication server structure (for the most part), the part that bugs me is the step when the switch starts communicating with the authentication server; the supplicant doesn't know the IP address or the MAC address of the server, and the server is probably on an entirely different network segment so the switch would have to talk to a router and need to know the server's IP---which it doesn't have from the supplicant.



So, how does that work? How does the switch know or discover how to get the authentication traffic to the authentication server?










share|improve this question







New contributor




Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.























    up vote
    2
    down vote

    favorite












    So, while I get the supplicant-authenticator-authentication server structure (for the most part), the part that bugs me is the step when the switch starts communicating with the authentication server; the supplicant doesn't know the IP address or the MAC address of the server, and the server is probably on an entirely different network segment so the switch would have to talk to a router and need to know the server's IP---which it doesn't have from the supplicant.



    So, how does that work? How does the switch know or discover how to get the authentication traffic to the authentication server?










    share|improve this question







    New contributor




    Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      So, while I get the supplicant-authenticator-authentication server structure (for the most part), the part that bugs me is the step when the switch starts communicating with the authentication server; the supplicant doesn't know the IP address or the MAC address of the server, and the server is probably on an entirely different network segment so the switch would have to talk to a router and need to know the server's IP---which it doesn't have from the supplicant.



      So, how does that work? How does the switch know or discover how to get the authentication traffic to the authentication server?










      share|improve this question







      New contributor




      Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      So, while I get the supplicant-authenticator-authentication server structure (for the most part), the part that bugs me is the step when the switch starts communicating with the authentication server; the supplicant doesn't know the IP address or the MAC address of the server, and the server is probably on an entirely different network segment so the switch would have to talk to a router and need to know the server's IP---which it doesn't have from the supplicant.



      So, how does that work? How does the switch know or discover how to get the authentication traffic to the authentication server?







      routing switch ieee-802.1x






      share|improve this question







      New contributor




      Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 1 hour ago









      Xovvo

      111




      111




      New contributor




      Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          3
          down vote













          The protocol used between switch and authentication server is called RADIUS.



          • The server address (or server addresses) have to be configured on the switch (manually)

          • The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other

          All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.






          share|improve this answer





























            up vote
            1
            down vote













            The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.



            The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).






            share|improve this answer




















              Your Answer







              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "496"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              convertImagesToLinks: false,
              noModals: false,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              noCode: true, onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );






              Xovvo is a new contributor. Be nice, and check out our Code of Conduct.









               

              draft saved


              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53233%2fwhen-doing-802-1x-port-authentication-how-does-the-switch-know-how-reach-the-au%23new-answer', 'question_page');

              );

              Post as a guest






























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              3
              down vote













              The protocol used between switch and authentication server is called RADIUS.



              • The server address (or server addresses) have to be configured on the switch (manually)

              • The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other

              All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.






              share|improve this answer


























                up vote
                3
                down vote













                The protocol used between switch and authentication server is called RADIUS.



                • The server address (or server addresses) have to be configured on the switch (manually)

                • The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other

                All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.






                share|improve this answer
























                  up vote
                  3
                  down vote










                  up vote
                  3
                  down vote









                  The protocol used between switch and authentication server is called RADIUS.



                  • The server address (or server addresses) have to be configured on the switch (manually)

                  • The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other

                  All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.






                  share|improve this answer














                  The protocol used between switch and authentication server is called RADIUS.



                  • The server address (or server addresses) have to be configured on the switch (manually)

                  • The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other

                  All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited 44 mins ago









                  jonathanjo

                  5,255222




                  5,255222










                  answered 57 mins ago









                  Jens Link

                  3,47411315




                  3,47411315




















                      up vote
                      1
                      down vote













                      The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.



                      The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).






                      share|improve this answer
























                        up vote
                        1
                        down vote













                        The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.



                        The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).






                        share|improve this answer






















                          up vote
                          1
                          down vote










                          up vote
                          1
                          down vote









                          The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.



                          The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).






                          share|improve this answer












                          The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.



                          The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered 56 mins ago









                          Zac67

                          19.2k21047




                          19.2k21047




















                              Xovvo is a new contributor. Be nice, and check out our Code of Conduct.









                               

                              draft saved


                              draft discarded


















                              Xovvo is a new contributor. Be nice, and check out our Code of Conduct.












                              Xovvo is a new contributor. Be nice, and check out our Code of Conduct.











                              Xovvo is a new contributor. Be nice, and check out our Code of Conduct.













                               


                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53233%2fwhen-doing-802-1x-port-authentication-how-does-the-switch-know-how-reach-the-au%23new-answer', 'question_page');

                              );

                              Post as a guest













































































                              Comments

                              Popular posts from this blog

                              Long meetings (6-7 hours a day): Being “babysat” by supervisor

                              What does second last employer means? [closed]

                              One-line joke