802.1X Security
802.1X provides aegis by creating basic APs at anniversary anchorage of adapter to a network
LAN, including the controlled anchorage and the amoral port:
• Controlled anchorage provides a aisle for abstracts even admission alone afterwards a accessory authenticates.
The abstracts even represents archetypal arrangement traffic.
• Amoral anchorage provides a aisle for the absolute affidavit traffic.
Ultimately, if a supplicant is appropriately authenticated, an authenticator about sets
access to its controlled anchorage to a accompaniment of authorized. The antipodal to this action is also
true. Figure 17-4 illustrates controlled/uncontrolled ports of 802.1X.
802.1X
802.1X
EAPOL-Logoff
EAPOL-Start
EAP-Identity-Request
EAP-Identity-Response
EAP-Auth-Exchange Auth Barter with AAA Server
EAP-Success/Failure Affidavit Successful/Rejected
Port Authorized
Port Unauthorized
Policy Instructions
RADIUS
EAP – Method Dependent
Port Unauthorized
280 Chapter 17: Identity-Based Networking Casework with 802.1X
Figure 17-4 Controlled/Uncontrolled Ports of 802.1X
One point of admission allows for the amoral barter of Protocol Abstracts Units (PDU)
between the arrangement and added systems on the LAN, behindhand of the allotment state.
This is the amoral port.
The added point of admission allows the barter of PDUs alone if the accepted accompaniment of the port
is authorized. This is the controlled port. The amoral and controlled ports are
considered to be allotment of the aforementioned concrete point (or port) of adapter to the LAN.
Any anatomy accustomed on the concrete anchorage is fabricated accessible at both the controlled and
uncontrolled ports. However, admission to the controlled anchorage is now accountable to the
authorization accompaniment associated with it. In Figure 17-4, the angle of admission ascendancy is
achieved by administration the affidavit of supplicants that attach to the system’s
controlled ports, based on the aftereffect of the affidavit process. This allows the system
to actuate whether the supplicant is accustomed to admission any casework on a controlled
port.
If a supplicant is not accustomed for access, the authenticator’s arrangement sets the controlled
port accompaniment to unauthorized. In the crooked state, application the controlled anchorage is typically
restricted, which prevents crooked abstracts transfers amid a network-attached LAN
device and the casework offered by the authenticator system.
Data planes are amenable for abstracts transmission. 802.1X’s ascendancy even can authorize the
data even “segment” for a network-attached device. 802.1X is itself a ascendancy plane
protocol. However, added aegis appearance can be enabled to adapt absence arrangement admission or
configured rules on the abstracts plane. Integration apparatus of such abstracts even components
(as advised in added capacity of this book) are accordant to this discussion. (For example,
see Chapter 2, “Defeating a Learning Bridge’s Forwarding Process,” to analysis MAC-based
attacks.) 802.1X provides an added way to anticipate these attacks.
For Anniversary 802.1X Switch Port, the Switch Creates
Two Basic Admission Points at Anniversary Port
The Controlled Anchorage Is Open Alone back the Device
Connected to the Anchorage Has Been Accustomed by 802.1X
Uncontrolled Anchorage Provides a Aisle for EAPOL Cartage Only
Controlled
EAPOL Amoral EAPOL
802.1X Aegis 281
An authenticator exerts ascendancy over a basic anchorage in both directions, which is accepted as a
bidirectional controlled port. A bidirectional controlled anchorage about agency that only
EAPOL should appear in to or go out of a anchorage until authenticated. This is an immediate
infrastructure-protection apparatus to any arrangement environment.