802.1X Quarantine Method; About 802.1X - Novell ZENWORKS NETWORK ACCESS CONTROL 5.0 - 09-22-2008 User Manual

802.1X Quarantine Method

1 1
The following sections contain more information:
Section 11.1, "About 802.1X," on page 235
Section 11.2, "Novell ZENworks Network Access Control and 802.1X," on page 236
Section 11.3, "Setting up the 802.1X Components," on page 239

11.1 About 802.1X

802.1X is a port-based authentication protocol that can dynamically vary encryption keys, and has
three components as follows:
Supplicant — The client; the endpoint that wants to access the network.
Authenticator — The access point, such as a switch, that prevents access when authentication
fails. The authenticator can be simple and dumb.
Authentication server — The server that authenticates the user credentials; usually a Remote
Authentication Dial-In User Service (RADIUS) server.
802.1X is an authentication framework that sends Extensible Authentication Protocol (EAP)
messages packaged in Ethernet frames over LANs (EAPOL). This method provides a savings in
overhead resources because it does not use all of the resources the typical Point-to-Point protocol
requires.
EAP supports multiple authentication methods such as:
Kerberos — An authentication system that uses an encrypted ticket to authenticate users.
One-time passwords — An authentication system that uses a set of rotating passwords, each
of which is used for only one login session.
Certificates — A method for identifying a user that links a public key to the user's or
company's identity, allowing them to send digitally signed electronic messages.
Tokens — A credit-card or key-fob sized authentication endpoint that displays a number that is
synchronized with the authentication server. The number changes over time, and the user is
required to enter the current number as part of the authentication process.
Public key authentication — In an asymmetric encryption system, two keys are required; a
public key and a private key. Either key can encrypt and decrypt messages, but cannot encrypt
and decrypt the same message; that is, if the public key encrypts a message, the private key
must decrypt the message.
The typical 802.1X connections are shown in
flow is as follows:
1 A Client (supplicant) requests access from the access point (AP) (authenticator).
2 The AP (authenticator) opens a port for EAP messages, and blocks all others.
3 The AP (authenticator) requests the client's (supplicant's) identity.
4 The Client (supplicant) sends its identity.
Figure 11-1 on page 236; The typical communication
11
802.1X Quarantine Method 235