When doing 802.1X port authentication, how does the switch know how reach the authentication server?

Clash Royale CLAN TAG#URR8PPP

up vote
2
down vote

favorite

So, while I get the supplicant-authenticator-authentication server structure (for the most part), the part that bugs me is the step when the switch starts communicating with the authentication server; the supplicant doesn't know the IP address or the MAC address of the server, and the server is probably on an entirely different network segment so the switch would have to talk to a router and need to know the server's IP---which it doesn't have from the supplicant.

So, how does that work? How does the switch know or discover how to get the authentication traffic to the authentication server?

routing switch ieee-802.1x

share|improve this question

asked 1 hour ago

Xovvo

111

New contributor

Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
2
down vote

favorite

So, while I get the supplicant-authenticator-authentication server structure (for the most part), the part that bugs me is the step when the switch starts communicating with the authentication server; the supplicant doesn't know the IP address or the MAC address of the server, and the server is probably on an entirely different network segment so the switch would have to talk to a router and need to know the server's IP---which it doesn't have from the supplicant.

So, how does that work? How does the switch know or discover how to get the authentication traffic to the authentication server?

routing switch ieee-802.1x

share|improve this question

asked 1 hour ago

Xovvo

111

New contributor

Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
2
down vote

favorite

up vote
2
down vote

favorite

So, while I get the supplicant-authenticator-authentication server structure (for the most part), the part that bugs me is the step when the switch starts communicating with the authentication server; the supplicant doesn't know the IP address or the MAC address of the server, and the server is probably on an entirely different network segment so the switch would have to talk to a router and need to know the server's IP---which it doesn't have from the supplicant.

So, how does that work? How does the switch know or discover how to get the authentication traffic to the authentication server?

routing switch ieee-802.1x

share|improve this question

asked 1 hour ago

Xovvo

111

New contributor

Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

So, while I get the supplicant-authenticator-authentication server structure (for the most part), the part that bugs me is the step when the switch starts communicating with the authentication server; the supplicant doesn't know the IP address or the MAC address of the server, and the server is probably on an entirely different network segment so the switch would have to talk to a router and need to know the server's IP---which it doesn't have from the supplicant.

So, how does that work? How does the switch know or discover how to get the authentication traffic to the authentication server?

routing switch ieee-802.1x

routing switch ieee-802.1x

share|improve this question

asked 1 hour ago

Xovvo

111

New contributor

Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 1 hour ago

Xovvo

111

New contributor

Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

share|improve this question

asked 1 hour ago

Xovvo

111

New contributor

Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 1 hour ago

Xovvo

111

asked 1 hour ago

Xovvo

111

111

New contributor

Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Xovvo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

up vote
3
down vote

The protocol used between switch and authentication server is called RADIUS.

• The server address (or server addresses) have to be configured on the switch (manually)


• The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other

All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.

share|improve this answer

edited 44 mins ago

jonathanjo

5,255222

answered 57 mins ago

Jens Link

3,47411315

add a comment | 

up vote
1
down vote

The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.

The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).

share|improve this answer

answered 56 mins ago

Zac67

19.2k21047

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "496"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

Xovvo is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53233%2fwhen-doing-802-1x-port-authentication-how-does-the-switch-know-how-reach-the-au%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
3
down vote

The protocol used between switch and authentication server is called RADIUS.

• The server address (or server addresses) have to be configured on the switch (manually)


• The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other

All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.

share|improve this answer

edited 44 mins ago

jonathanjo

5,255222

answered 57 mins ago

Jens Link

3,47411315

add a comment | 

up vote
3
down vote

The protocol used between switch and authentication server is called RADIUS.

• The server address (or server addresses) have to be configured on the switch (manually)


• The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other

All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.

share|improve this answer

edited 44 mins ago

jonathanjo

5,255222

answered 57 mins ago

Jens Link

3,47411315

add a comment | 

up vote
3
down vote

up vote
3
down vote

The protocol used between switch and authentication server is called RADIUS.

• The server address (or server addresses) have to be configured on the switch (manually)


• The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other

All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.

share|improve this answer

edited 44 mins ago

jonathanjo

5,255222

answered 57 mins ago

Jens Link

3,47411315

The protocol used between switch and authentication server is called RADIUS.

• The server address (or server addresses) have to be configured on the switch (manually)


• The switch must be configured as a "client" on the RADIUS server and both need the same shared secret in order to communicate with each other

All assuming that basic routing between switch and server is working and there are no firewalls / access lists between switch and server blocking RADIUS traffic.

share|improve this answer

edited 44 mins ago

jonathanjo

5,255222

answered 57 mins ago

Jens Link

3,47411315

share|improve this answer

share|improve this answer

edited 44 mins ago

jonathanjo

5,255222

edited 44 mins ago

jonathanjo

5,255222

edited 44 mins ago

jonathanjo

5,255222

5,255222

answered 57 mins ago

Jens Link

3,47411315

answered 57 mins ago

Jens Link

3,47411315

answered 57 mins ago

Jens Link

3,47411315

3,47411315

add a comment | 

add a comment | 

up vote
1
down vote

The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.

The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).

share|improve this answer

answered 56 mins ago

Zac67

19.2k21047

add a comment | 

up vote
1
down vote

The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.

The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).

share|improve this answer

answered 56 mins ago

Zac67

19.2k21047

add a comment | 

up vote
1
down vote

up vote
1
down vote

The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.

The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).

share|improve this answer

answered 56 mins ago

Zac67

19.2k21047

The switch (authenticator) needs to be configured for 802.1X. One thing that needs to be configured is the address of the authentication server. It's usually an IP address and often it's routed.

The authenticator couldn't use any information from the supplicant because it can't be trusted without being authenticated (or even after).

share|improve this answer

answered 56 mins ago

Zac67

19.2k21047

share|improve this answer

share|improve this answer

answered 56 mins ago

Zac67

19.2k21047

answered 56 mins ago

Zac67

19.2k21047

answered 56 mins ago

Zac67

19.2k21047

19.2k21047

add a comment | 

add a comment | 

Xovvo is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Xovvo is a new contributor. Be nice, and check out our Code of Conduct.

Xovvo is a new contributor. Be nice, and check out our Code of Conduct.

Xovvo is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53233%2fwhen-doing-802-1x-port-authentication-how-does-the-switch-know-how-reach-the-au%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email