User Guide: AMF Security Controller version 2.1.0

AMF Security OpenFlow Authentication Flow

AMF Security performs authentication at the request of the OpenFlow Switches it manages.

OpenFlow Switches ask AMF Security for authentication in the following manner.

  1. An OpenFlow Switch receives a packet from a device.

  2. The OpenFlow Switch looks for a flow entry associated with the packet's source MAC address. When a matching flow entry is found, the OpenFlow Switch transmits the packet according to the flow entry.

  3. When a matching flow entry is not found, the OpenFlow Switch sends a query packet (PACKET_IN) to AMF Security.

AMF Security performs the authentication process on the MAC address in the query packet (PACKET_IN), then installs a new flow entry on the OpenFlow Switch depending on its decision (whether the packet should be allowed to which VLAN, quarantined to which VLAN or dropped).

AMF Security has three major authentication processes: Device Authentication Data, the UnAuth Group and Action.

AMF Security authenticates each device in the order of Action, Device Authentication Data and the UnAuth Group.

The following diagram shows the authentication flows through Action, Device Authentication Data and the UnAuth Group where Device ID is being used to identify each device.
As you can see in the diagram, if a device matches both Action and Authentication Data, Action is used.

14 Jun 2021 09:30