Table of Contents
Advertisement
7.3 802.1X
IEEE 802.1X is an IEEE Standard for port-based Network Access Control ("port" meaning a
single point of attachment to the LAN infrastructure). It is part of the IEEE 802.1 group of
networking protocols. It provides an authentication mechanism to devices wishing to attach to a
LAN, either establishing a point-to-point connection or preventing it if authentication fails. It is
used for most wireless 802.11 access points and is based on the Extensible Authentication
Protocol (EAP).
802.1X provides port-based authentication, which involves communications between a
supplicant, authenticator, and authentication server. The supplicant is often software on a client
device, such as a laptop, the authenticator is a wired Ethernet switch or wireless access point, and
an authentication server is generally a RADIUS database. The authenticator acts like a security
guard to a protected network. The supplicant (i.e., client device) is not allowed access through
the authenticator to the protected side of the network until the supplicant's identity is authorized.
An analogy to this is providing a valid passport at an airport before being allowed to pass through
security to the terminal. With 802.1X port-based authentication, the supplicant provides
credentials, such as user name/password or digital certificate, to the authenticator, and the
authenticator forwards the credentials to the authentication server for verification. If the
credentials are valid (in the authentication server database), the supplicant (client device) is
allowed to access resources located on the protected side of the network.
Upon detection of the new client (supplicant), the port on the switch (authenticator) is enabled
and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic,
such as DHCP and HTTP, is blocked at the network layer (Layer 3). The authenticator sends out
the EAP-Request identity to the supplicant, the supplicant responds with the EAP-response
packet that the authenticator forwards to the authenticating server. If the authenticating server
accepts the request, the authenticator sets the port to the "authorized" mode and normal traffic is
allowed. When the supplicant logs off, it sends an EAP-logoff message to the authenticator. The
authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP
traffic.
The following figure illustrates how a client connecting to an IEEE 802.1xauthentication enabled
port goes through a validation process. The Switch prompts the client for login information in
the form of a user name and password.
When the client provides the login credentials, the Switch sends an authentication request to a
RADIUS server. The RADIUS server validates whether this client is allowed access to the port.
271
Advertisement
Table of Contents
