Link authentication protocols are used to provide network devices with authenticated access to a network. In particular, link authentication protocols are used to authenticate each port coupled to a particular link. If a link authentication protocol exchange fails, a port connected to the link that was being authenticated by the exchange can be disabled from communicating via the link.
IEEE 802.1X defines a protocol for authenticating an Ethernet link. In the IEEE 802.1X model, two network devices communicate via the link being authenticated. When the link is brought up, one of the two network devices acts as an authenticator device while the other one of the two network devices acts as a supplicant device. The behavior of the authenticator device and the supplicant device is defined by IEEE 802.1X. In particular, the authenticator device communicates with an authentication server in order to authenticate the link to supplicant device. In situations in which the authenticator device and the authentication server are not co-located, the authenticator device needs to have layer 3 connectivity with the authentication server in order to be able to complete the IEEE 802.1X protocol exchange.
When a host device (e.g., a personal computer) connects to a network, the host device will act as a supplicant device. The nature of the host device's role is clear (i.e., the host device cannot act as an authenticator, since the host device is seeking admission into a network and does not have layer 3 connectivity with the authentication server until after the host device has been authenticated and authorized). Likewise, the network device at the edge of the network to which the host device is being connected will necessarily act as the authenticator device (since the network device at the edge of the network is providing the admission control and already has layer 3 connectivity to the authentication server). Thus, in many situations, the role (authenticator or supplicant) of a network device in an 802.1X exchange is unambiguous.
In certain situations, however, the role of each device is not immediately apparent. For example, IEEE 802.1X protocol exchanges can be used among the network nodes that make up the network. In such a situation, either or both of the devices involved in a given protocol exchange may potentially have layer 3 connectivity with the authentication server and may provide admission control to the other device; however, the device that has connectivity with the server may not necessarily be the device that is designated as the authenticator in the protocol exchange. Thus, in some circumstances, the ability of a given network device to gain connectivity with an authentication server may depend on that network device successfully completing an 802.1X protocol exchange with another network device. At the same time, if the network device has been designated as the authenticator for the 802.1X protocol exchange, the ability of the network device to complete the 802.1X protocol exchange with another device will depend upon the network device having connectivity with the authentication server. If a network device is designated as the authenticator for a protocol exchange, but that network device does not actually have connectivity with the authentication server, deadlock situations may arise.
A network can be designed to enforce authenticated access pervasively, for all network devices on all links. Ideally, when such a network is brought up, successful authentication (and as a result, connectivity with an authentication server) will start from the devices closest (i.e., separated by the fewest number of links) to an authentication server and propagate outwards. Links to supplicant devices closest to the authentication server will be authenticated, allowing the supplicant devices to subsequently act as authenticator devices. The new authenticator devices are then able to authenticate other devices that are further (in links) from the authentication server.
The role (authenticator or supplicant) of each device can be manually configured for each of the links in the network. However, it is difficult to manage manual configuration of the role. Additionally, conditions such as link flaps and network partitioning can easily change the relative ‘distance’ (in links) of a device from a server, potentially causing a device, which has been manually designated as an authenticator, to no longer have connectivity to an authentication server, even if one or more links coupled to the device have previously been authenticated. Deadlock situations may arise if a device that has not yet been admitted into the network (e.g., because the device has not yet completed a successful link authentication protocol exchange) tries to be an authenticator device while the device that already has connectivity with the authentication server is forced to be a supplicant. Therefore, a dynamic role determination mechanism for use with link authentication protocol exchanges is needed.