IEEE 802.1X is a new standard that defines enhanced security for IP networks. IEEE 802.1X specifically defines a client/server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports.
802.1X works by authenticating every client on the network—that is, every device connected to a switch port. After successful authentication, the individual switch port is assigned a VLAN. Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic. After successful authentication, normal traffic can pass through the switch port. The primary purpose of 802.1X is to permit Layer 3 connectivity, that is, IP connectivity. 802.1X is initiated only when a device is connected to a switch port, and can also be used in a wireless network through an access point.
Figure 6-11 displays a typical scenario whereby a user has connected a device such as a PC to an available switch port.
Figure 6-11 IEEE 802.1X Functions
No Access when Initially Connected
Access Granted or Denied
Figure 6-11 displays the various functions carried out by each device. The client workstation initially requests access to the LAN. The client is enabled for 802.1X. For example, Microsoft Windows XP has support for 802.1X. Simply configure your network card for 802.1X support using the operating system's instructions.
The Cisco IOS-based switch is also enabled for 802.1X through IOS software. The switch then responds to the request of the client to join the LAN.
The RADIUS authentication server actually performs the authentication of the end workstation or client. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. This means the switch becomes the transparent proxy by sending all frames to the RADIUS server and back from the RADIUS server to the workstation. RADIUS (with Extensible Authentication Protocol [EAP] extensions) is the protocol used to authenticate the client. Because the switch acts as the proxy, the authentication service is transparent to the client. (The client is referred to as the supplicant in the 802.1X documentation.)
The Cisco IOS-based switch (also called the authenticator and back-end authenticator) controls the physical access to the network based on the authentication status of the client. The switch acts and verifies information between the workstation and the RADIUS server.
The switch port state can be in one of three states:
■ Authorized—Successful authentication and normal packet flow.
■ Unauthorized 802.1X—If a client device does not support 802.1X authentication, the port is left unauthorized.
■ 802.1X enabled—If a client is enabled for 802.1X but the switch port is not configured for 802.1X support, the client initiates but will not receive a reply. The client then sends packets, assuming that the authorization was granted.
802.1X is still new to the IP community, and the uptake has been rather slow, but it is more common in North America. The rest of the world is trying to catch up.
Was this article helpful?