IEEE 8021x and IBNS

Recall from Chapter 9 that IEEE 802.1X is an open standards-based protocol for authenticating network clients (or ports) based on a user ID or on the device. 802.1X runs between end devices or users (called supplicants) trying to connect to ports, and an Ethernet device, such as a Cisco Catalyst switch or Cisco wireless access point (AP) (called the authenticator). Authentication and authorization are achieved with back-end communication to an authentication server such as Cisco Secure Access Control Server (ACS).

The Cisco IBNS solution supports identity authentication and secure network connectivity, dynamic provisioning of VLANs on a per-user basis, guest VLANs, and 802.1X port security. Figure 10-14 illustrates the IBNS solution. When the Cisco Catalyst switch (the authenticator) detects that a user (the supplicant) is attempting to connect to the network, the authenticator initiates an Extensible Authentication Protocol over LAN (EAPoL) session, asking the supplicant to provide credentials. The supplicant sends its credentials to the authenticator. The switch (the authenticator) passes the user ID and password to an authentication server using RADIUS.

Figure 10-14 Cisco IBNS Provides Enhancements and Extensions to 802.1X 802.1X

Supplicant

EAPoL

Host Attempts Access

LAN Connectivity Established

Request Credentials

Accept/Reject

RADIUS Authenticator

Forward Credentials to ACS Server

Authentication Result

Policy Instructions (Dynamic VLAN)

Authentication Server

RADIUS/ ACS Server

Credential

Assessment

Performed

The authentication server determines whether the user ID and password are valid. It also notes the port to which the user is connected, and the MAC address of the user's device. If the user ID and password are valid, the authentication server sends a message to the authenticator to allow the user to connect to the network on a specific VLAN, and the user accesses the physical LAN services. If the user ID and password are not valid, the server sends a message to the switch to block the port to which the user is connected.

Was this article helpful?

0 0

Post a comment