Recall from Chapter 9 that IEEE 802.1X is an open standards-based protocol for authenticating network clients (or ports) based on a user ID or on the device. 802.1X runs between end devices or users (called supplicants) trying to connect to ports, and an Ethernet device, such as a Cisco Catalyst switch or Cisco wireless access point (AP) (called the authenticator). Authentication and authorization are achieved with back-end communication to an authentication server such as Cisco Secure Access Control Server (ACS).
The Cisco IBNS solution supports identity authentication and secure network connectivity, dynamic provisioning of VLANs on a per-user basis, guest VLANs, and 802.1X port security. Figure 10-14 illustrates the IBNS solution. When the Cisco Catalyst switch (the authenticator) detects that a user (the supplicant) is attempting to connect to the network, the authenticator initiates an Extensible Authentication Protocol over LAN (EAPoL) session, asking the supplicant to provide credentials. The supplicant sends its credentials to the authenticator. The switch (the authenticator) passes the user ID and password to an authentication server using RADIUS.
Figure 10-14 Cisco IBNS Provides Enhancements and Extensions to 802.1X 802.1X
Host Attempts Access
LAN Connectivity Established
Forward Credentials to ACS Server
Policy Instructions (Dynamic VLAN)
RADIUS/ ACS Server
The authentication server determines whether the user ID and password are valid. It also notes the port to which the user is connected, and the MAC address of the user's device. If the user ID and password are valid, the authentication server sends a message to the authenticator to allow the user to connect to the network on a specific VLAN, and the user accesses the physical LAN services. If the user ID and password are not valid, the server sends a message to the switch to block the port to which the user is connected.
Was this article helpful?