Ieee 8021x Overview
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Ieee 8021x Overview as PDF for free.
More details
- Words: 677
- Pages: 11
IEEE 802.1X Overview
Port Based Network Access Control
Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
802.1X Motivation and History • Increased use of 802 LANs in public and semi-public places • Desire to provide a mechanism to associate end-user identity with the port of access to the LAN – establish authorized access – enable billing and accounting mechanisms – personalize network access environment
• Leverage existing AAA infrastructure currently used by other forms of network access (e.g. dial-up). • Initially intended for 802.1D, but since expanded to include other access devices (e.g. 802.11, smart repeater). Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
802.1X Overview • A method for performing authentication to obtain access to IEEE 802 LANs. Ideally occurs at the first point of attachment (i.e. the edge). • Specifies a protocol between devices desiring access to the bridged LAN and devices providing access to the bridged LAN. • Specifies the requirements for a protocol between the Authenticator and an Authentication server (e.g. RADIUS). • Specifies different levels of access control and the behavior of the port providing access to the bridged LAN. • Specifies management operations via SNMP. Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
Definitions Authenticator The entity that requires the entity on the other end of the link to be authenticated.
Supplicant The entity being authenticated by the Authenticator and desiring access to the services of the Authenticator.
Port Access Entity (PAE) The protocol entity associated with a port. May support functionality of Authenticator, Supplicant or both.
Authentication Server An entity providing authentication service to the Authenticator. Maybe co-located with Authenticator, but most likely an external server. Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
General Topology Semi-Public Network / Enterprise Edge
Enterprise Network S DIU A R ver O EAP
EAP
OL) P A E Ns ( A L r Ove
PAE
R A D I U S
Authentication Server
Authenticator (e.g. Edge Switch)
PAE Suplicant
Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
Principal of Operation Supplicant’s System Supplicant PAE
Authenticator’s System Services Offered by Authenticator (e.g Bridge Relay) Controlled port
Authenticator PAE
Authentication Server’s System Authentication Server
Uncontrolled port
Port Authorize
MAC Enable
LAN
Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
Full Control and Partial Control • Full Control prohibits transmission and reception through the controlled port unless authorized. • Partial Control allows transmission through the controlled port to support Wake-on-LAN • Partial Control may be changed to Full Control by higher layers (e.g. Bridge Detection software to avoid Spanning Tree Loops).
Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
Protocol Overview • Encapsulate the Extensible Authentication Protocol (RFC 2284) in 802 Frames (EAPOL) with a few extensions to handle unique characteristics of 802 LANs. • EAP is a general protocol supporting multiple authentication methods (smart cards, Kerberous, public key, one-time password, etc). • Authenticator passes authentication exchanges between supplicant and authentication server. • Authenticator PAE enables the controlled port based upon the result of the authentication exchanges.
Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
IEEE 802.1X Conversation Bridge Radius Server Laptop computer
Ethernet
Port connect
Access blocked EAPOL
EAPOL-Start
RADIUS
EAP-Request/Identity EAP-Response/Identity
Radius-Access-Request Radius-Access-Challenge
EAP-Request
Radius-Access-Request
EAP-Response (cred)
Radius-Access-Accept
EAP-Success Access allowed Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
Possible Additional Services • Allow port VLAN membership to be assigned as outcome of authentication – enables the un-authenticated VLAN – enables end-station manageability after failed authentication – enables the association of VLAN assignment to user identity
• Allow mechanism to initiate LAN usage accounting. • Supports a mechanism to associate incoming traffic priority with user identity • Exchange of 802.11 session keys
Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
802.1X Summary • Low impact mechanism for addressing enduser authenticated access to 802 LANs • Applicable to a variety of access devices (e.g. 802.1D bridges, 802.11 APs, Smart 802.3 repeaters, DSL environments) • Leverages existing AAA infrastructure • Extensible protocol to support future authentication methods. Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
Port Based Network Access Control
Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
802.1X Motivation and History • Increased use of 802 LANs in public and semi-public places • Desire to provide a mechanism to associate end-user identity with the port of access to the LAN – establish authorized access – enable billing and accounting mechanisms – personalize network access environment
• Leverage existing AAA infrastructure currently used by other forms of network access (e.g. dial-up). • Initially intended for 802.1D, but since expanded to include other access devices (e.g. 802.11, smart repeater). Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
802.1X Overview • A method for performing authentication to obtain access to IEEE 802 LANs. Ideally occurs at the first point of attachment (i.e. the edge). • Specifies a protocol between devices desiring access to the bridged LAN and devices providing access to the bridged LAN. • Specifies the requirements for a protocol between the Authenticator and an Authentication server (e.g. RADIUS). • Specifies different levels of access control and the behavior of the port providing access to the bridged LAN. • Specifies management operations via SNMP. Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
Definitions Authenticator The entity that requires the entity on the other end of the link to be authenticated.
Supplicant The entity being authenticated by the Authenticator and desiring access to the services of the Authenticator.
Port Access Entity (PAE) The protocol entity associated with a port. May support functionality of Authenticator, Supplicant or both.
Authentication Server An entity providing authentication service to the Authenticator. Maybe co-located with Authenticator, but most likely an external server. Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
General Topology Semi-Public Network / Enterprise Edge
Enterprise Network S DIU A R ver O EAP
EAP
OL) P A E Ns ( A L r Ove
PAE
R A D I U S
Authentication Server
Authenticator (e.g. Edge Switch)
PAE Suplicant
Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
Principal of Operation Supplicant’s System Supplicant PAE
Authenticator’s System Services Offered by Authenticator (e.g Bridge Relay) Controlled port
Authenticator PAE
Authentication Server’s System Authentication Server
Uncontrolled port
Port Authorize
MAC Enable
LAN
Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
Full Control and Partial Control • Full Control prohibits transmission and reception through the controlled port unless authorized. • Partial Control allows transmission through the controlled port to support Wake-on-LAN • Partial Control may be changed to Full Control by higher layers (e.g. Bridge Detection software to avoid Spanning Tree Loops).
Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
Protocol Overview • Encapsulate the Extensible Authentication Protocol (RFC 2284) in 802 Frames (EAPOL) with a few extensions to handle unique characteristics of 802 LANs. • EAP is a general protocol supporting multiple authentication methods (smart cards, Kerberous, public key, one-time password, etc). • Authenticator passes authentication exchanges between supplicant and authentication server. • Authenticator PAE enables the controlled port based upon the result of the authentication exchanges.
Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
IEEE 802.1X Conversation Bridge Radius Server Laptop computer
Ethernet
Port connect
Access blocked EAPOL
EAPOL-Start
RADIUS
EAP-Request/Identity EAP-Response/Identity
Radius-Access-Request Radius-Access-Challenge
EAP-Request
Radius-Access-Request
EAP-Response (cred)
Radius-Access-Accept
EAP-Success Access allowed Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
Possible Additional Services • Allow port VLAN membership to be assigned as outcome of authentication – enables the un-authenticated VLAN – enables end-station manageability after failed authentication – enables the association of VLAN assignment to user identity
• Allow mechanism to initiate LAN usage accounting. • Supports a mechanism to associate incoming traffic priority with user identity • Exchange of 802.11 session keys
Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
802.1X Summary • Low impact mechanism for addressing enduser authenticated access to 802 LANs • Applicable to a variety of access devices (e.g. 802.1D bridges, 802.11 APs, Smart 802.3 repeaters, DSL environments) • Leverages existing AAA infrastructure • Extensible protocol to support future authentication methods. Paul Congdon
IEEE Plenary, Albuquerque,NM March 2000
Hewlett Packard
Related Documents
Ieee 8021x Overview
October 2019 3
Ieee-8021x
June 2020 3
8021x
October 2019 10
8021x-howto
December 2019 18
8021x-dobbelsteijn
October 2019 5