IEEE 8021x

■ Standard set by the IEEE 802.1 working group

■ A framework designed to address and provide port-based access control using authentication

■ Primarily an encapsulation definition for EAP over IEEE 802 media (EAPOL is the key protocol.)

■ Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point)

■ Assumes a secure connection

■ Actual enforcement is via MAC-based filtering and port-state monitoring

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—2-5

802.1x is a protocol standard defined by the IEEE, designed to provide port-based network access. IEEE 802.1x authenticates network clients using information unique to the client and with credentials known only to the client. This service is called port-level authentication because, for security reasons, it is offered to a single endpoint for a given physical port.

The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated. The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN.

Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.

IEEE 802.1x provides an encapsulation definition for the transport of EAP at the MAC layer over any PPP or IEEE 802 media. IEEE 802.1x enables the implementation of port-based NAC to a network device. IEEE 802.1x transports EAP messages between a supplicant and an authenticator. The authenticator then typically relays the EAP information to an authentication server via the RADIUS protocol. IEEE 802.1x not only provides the capability to permit or deny network connectivity based on user or machine identity, but also works in conjunction with higher layer protocols to enforce network policy.

© 2007 Cisco Systems, Inc. Trust and Identity 2-75

0 0

Post a comment