Table of Contents
Advertisement
4.9 802.1X Authentication
For some IEEE 802 LAN environments, it is desirable to restrict access to the services offered by the LAN to
those users and devices that are permitted to make use of those services. IEEE 802.1X Port-based network
access control function provide a means of authenticating and authorizing devices attached to a LAN port that
has point-to-point connection characteristics, and of preventing access to that port in cases in which the
authentication and authorization process fails. The 802.1X standard relies on the client to provide credentials in
order to gain access to the network. The credentials are not based on a hardware address. Instead, they can be
either a username/password combination or a certificate. The credentials are not verified by the switch but are
sent to a Remote Authentication Dial-In User Service (RADIUS) server, which maintains a database of
authentication information. 802.1X consists of three components for authentication exchange, which are as
follows:
802.1X authenticator: This is the port on the switch that has services to offer to an end device, provided the
device supplies the proper credentials.
802.1X supplicant: This is the end device; for example, a PC that connects to a switch that is requesting to
use the services (port) of the device. The 802.1X supplicant must be able to respond to communicate.
802.1X authentication server: This is a RADIUS server that examines the credentials provided to the
authenticator from the supplicant and provides the authentication service. The authentication server is
responsible for letting the authenticator know if services should be granted.
802.1X authenticator operates as a go-between with the supplicant and the authentication server to provide
services to the network. When a switch is configured as an authenticator, the ports of the switch must then be
configured for authorization. In an authenticator-initiated port authorization, a client is powered up or plugs
into the port, and the authenticator port sends an Extensible Authentication Protocol (EAP) PDU to the
supplicant requesting the identification of the supplicant. At this point in the process, the port on the switch is
-85-
Advertisement
Table of Contents
