Ethernet Security

The IEEE 802.1X-2001 specification provides a port-based architecture and protocol for the authentication and authorization of Ethernet devices. The authorization function is not granular and merely determines whether access to the LAN is authorized following successful authentication. A device to be authenticated (such as a host) is called a supplicant. A device that enforces authentication (such as an Ethernet switch) is called an authenticator. The authenticator relays supplicant credentials to an authentication server, which permits or denies access to the LAN. The authentication server function may be implemented within the authenticator device. Alternately, the authentication server may be centralized and accessed by the authenticator via RADIUS, TACACS+, or other such protocol. A port in an Ethernet switch may act as authenticator or supplicant. For example, when a new Ethernet switch is attached to a LAN, the port in the existing Ethernet switch acts as authenticator, and the port in the new Ethernet switch acts as supplicant.

VLANs can be used as security mechanisms. By enforcing traffic isolation policies along VLAN boundaries, Ethernet switches protect the devices in each VLAN from the devices in other VLANs. VLAN boundaries can also isolate management access in Ethernet switches that support VLAN-aware RBAC.