Fundamentals of 802.1x


The IEEE 802.1x standard is designed to provide port-based user authentication onto a network. Prior to the 802.1x standard, many mechanisms existed to determine if a user was authorized to join the network. However, these mechanisms were often proprietary and typically were often independent of the port or entrance point in to the network. The ability to define port or link-layer authentication to the network allows the ability to assign a user or group of users network access policy attributes including virtual LAN (VLAN) and access control lists (ACLs) when the user authenticates and logs on to the network. IEEE 802.1x provides a standard mechanism for port or link-level user authentication and works in concert with traditional port-level security.

An example of traditional port-level security is the ability to specify what MAC addresses, or layer 2 addresses, are allowed through a particular Catalyst LAN switch port. In addition to user-based authentication, IEEE 802.1x can also support device-based authentication to authenticate a device name to a certificate authority or to a Windows Active Directory system prior to user authentication. The IEEE 802.1x standard was designed to provide an open, secure, and scalable mechanism for port-based or link-layer user authentication.

802.1x comprises the following three major components:

  • Authentication server The authentication server is an 802.1x server and often contains other user authentication services like Remote Authentication Dial-In User Service (RADIUS). The authentication server often provides user authentication services for both 802.1x and other access methods like remote access IPSec VPNs. Cisco Secure Access Control Server (ACS) is an example of an authentication server.

  • Authenticator The authentication client, or authenticator, is the network component that receives the initial request for port-based user authentication. The authenticator is typically a switch or wireless access-point.

  • Supplicant The supplicant resides on the end-device, like a laptop, desktop computer, or PDA. Some end-device platforms, including the pervasive Microsoft XP, contain a native 802.1x supplicant. Full-featured 802.1x supplicants can also be purchased from third parties for Windows and other platforms, including Linux and MacOS.

IEEE 802.1x defines a PPP connection between the end-device supplicant (for example, PC) and authenticator (for example, Catalyst LAN switch). IEEE 802.1x allows EAP messages to be transported between the supplicant and the authentication server. Communication between the authenticator and authentication server (for example, Cisco Access Control Server [ACS]) is performed with the RADIUS protocol. Figure 5-1 displays an example of the 802.1x components in a network.

Figure 5-1. 802.1x Network




Setf-Defending Networks(c) The Next Generation of network Security
Self-Defending Networks: The Next Generation of Network Security
ISBN: 1587052539
EAN: 2147483647
Year: N/A
Pages: 112

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net