Exploring IEEE 802.1X
The IEEE 802.1 alive accumulation developed the 802.1X standard. It is a framework that
addresses and provides port-based admission ascendancy appliance authentication. Primarily, 802.1X
is an encapsulation analogue for EAP over IEEE 802 media. The Band 2 protocol
transports EAP affidavit letters amid a applicant accessory and a arrangement device.
802.1X about assumes a defended connection, and the administration of sessions are
imposed through MAC-based clarification and port-start monitoring.
To accommodate added ambience on 802.1X theory, a few accessories and processes charge be
explained:
• Supplicant. Accessory requesting admission to the network. A supplicant represents a client,
user, or PC.
• Authenticator. Arrangement admission point device. This ability be either a about-face or wireless
access point (AP). The authenticator enforces the aegis action based on the results
from authentication.
• Affidavit server. Accessory that absolutely performs the supplicant’s authentication.
Based on after-effects from authentication, the affidavit server optionally provides the
authenticator with a specific access-control action to enforce. The simplest action is
to admittance or abjure the supplicant arrangement access.
The basal character concepts ahead authentic administer to the above-mentioned devices. A supplicant
needs to affix to a network. An authenticator’s albatross is to accommodate authenticated
access and accomplish policies. Then, an affidavit server verifies the supplicant’s
identified accreditation and instructs an authenticator on an antecedent account to provide.
802.1X specifies a agreement framework for acceptance a accessory that is affiliated to a
port. When a host connects to the LAN anchorage on a switch, the host’s actuality is
determined by the about-face anchorage according to the agreement that 802.1X specifies. Assume that
this is done afore any added casework offered by the about-face are fabricated accessible on that port.
Until the affidavit is complete, alone EAPOL ascendancy frames can be candy on a
port. No abstracts even cartage is about accustomed until the anchorage is authorized. Figure 17-2
illustrates this model.
278 Chapter 17: Identity-Based Networking Casework with 802.1X
Figure 17-2 Port-Based Admission Ascendancy with 802.1X
Figure 17-2 shows the operation of port-based admission ascendancy and the aftereffect of creating two
distinct credibility of admission to an authenticator’s point of adapter to the LAN.
802.1X begins with a anchorage of an authenticator abrogating arrangement admission at the anchorage level.
An antecedent EAP barter (defined by RFC 3748) is again accomplished amid the supplicant
and authenticator. The EAP adjustment is again adjourned or anon acclimated amid the
supplicant and affidavit server for the absolute authentication. The EAP bulletin is
transported through 802.1X at the articulation band to acquiesce the supplicant and authenticator to
converse.
Typically, RADIUS is acclimated at the appliance band to acquiesce the authenticator to
communicate with the affidavit server. The absolute affidavit chat is
between the supplicant and affidavit server via EAP, however. The authenticator is
typically an EAP aqueduct and, ultimately, it enforces arrangement policy, as Figure 17-3 shows.
As Figure 17-3 illustrates, RADIUS acts as the carriage for EAP from the authenticator to
the affidavit server. (RFC 3579 provides a acceptance guideline for how RADIUS must
support EAP amid these devices.) RADIUS additionally carries aback any action instructions to
an authenticator in the anatomy of attribute-value pairs. (RFC 3580 provides acceptance guidelines
for how 802.1X authenticators charge use RADIUS.)
• MS AD
• LDAP
• NDS
• ODBC
• Switch
• Router
• WLAN AP
• Desktop/Laptop
• LP Phone
• WLAN AP
• Switch
• IAS
• ACS
• Any IETF RADIUS Server
Identity
Store/Management
Authenticator
Request for Service
(Connectivity)
Backend Authentication
Support
Supplicant Affidavit Server
Identity Store
Integration
802.1X Aegis 279
Figure 17-3 EAP with 802.1X and RADIUS
802.1X
802.1X
EAPOL-Logoff
EAPOL-Start
EAP-Identity-Request
EAP-Identity-Response
EAP-Auth-Exchange Auth Barter with AAA Server
EAP-Success/Failure Affidavit Successful/Rejected
Port Authorized
Port Unauthorized
Policy Instructions
RADIUS
EAP – Adjustment Dependent
Port Unauthorized