Security - Tripp Lite NGI-S04C2 Owner's Manual

6. Security

6.1. 802.1x
IEEE 802.1X is an IEEE Standard for port-based Network Access Control ("port"
meaning a single point of attachment to the LAN infrastructure). It is part of the IEEE
802.1 group of networking protocols. It provides an authentication mechanism to devices
wishing to attach to a LAN, either establishing a point-to-point connection or preventing
it if authentication fails. It is used for most wireless 802.11 access points and is based on
the Extensible Authentication Protocol (EAP).
802.1X provides port-based authentication, which involves communications between a
supplicant, authenticator, and authentication server. The supplicant is often software on a
client device, such as a laptop, the authenticator is a wired Ethernet switch or wireless
access point, and an authentication server is generally a RADIUS database. The
authenticator acts like a security guard to a protected network. The supplicant (i.e., client
device) is not allowed access through the authenticator to the protected side of the
network until the supplicant's identity is authorized. An analogy to this is providing a
valid passport at an airport before being allowed to pass through security to the terminal.
With 802.1X port-based authentication, the supplicant provides credentials, such as user
name/password or digital certificate, to the authenticator, and the authenticator forwards
the credentials to the authentication server for verification. If the credentials are valid (in
the authentication server database), the supplicant (client device) is allowed to access
resources located on the protected side of the network.
Upon detection of the new client (supplicant), the port on the switch (authenticator) is
enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed;
other traffic, such as DHCP and HTTP, is blocked at the network layer (Layer 3). The
authenticator sends out the EAP-Request identity to the supplicant, the supplicant
responds with the EAP-response packet that the authenticator forwards to the
authenticating server. If the authenticating server accepts the request, the authenticator
sets the port to the "authorized" mode and normal traffic is allowed. When the supplicant
logs off, it sends an EAP-logoff message to the authenticator. The authenticator then sets
the port to the "unauthorized" state, once again blocking all non-EAP traffic.
The following figure illustrates how a client connecting to an IEEE 802.1xauthentication
enabled port goes through a validation process. The Switch prompts the client for login
information in the form of a user name and password.
79