MNS-BB
Software User Guide
-106-
21.0
802.1x - Port Based Network Access Control
and
The Radius (Remote Authentication Dial-In User Service) Protocol
21.1 Introduction
The IEEE 802.1x standard,
Port Based Network Access Control
, defines a mechanism for port-based
network access control that makes use of the physical access characteristics of IEEE 802 LAN
infrastructure. It provides a means of authenticating and authorizing devices attached to LAN ports
that have point-to-point connection characteristics. It also prevents access to that port in cases where
the authentication and authorization fails.
The 802.1x specification includes a number of features aimed specifically at supporting the use of
Port Access Control in IEEE 802.11 LANs (WLAN). These include the ability for a WLAN access
point to distribute or obtain global key information to/from attached stations by means of the EAPOL-
Key message following successful authentication.
Although 802.1x is mostly used in wireless networks, this protocol is also implemented in wired
bridges. The MNS-BB Software switch implements the authenticator, which is a major component of
802.1x.
21.2 Overview
802.1x is a method for performing authentication to obtain access to IEEE 802 LANs. It specifies the
following:
•
the protocol between devices desiring access to the bridged LAN and devices providing
access to the bridged LAN
•
the requirements for a protocol between the authenticator and an authentication server
(RADIUS)
•
the behavior of the port providing access to the bridged LAN
•
management operations via SNMP
Figure 1 shows a general topology of 802.1x enabled network.
Figure 1. 802.1x General Topology
There are 3 major components of 802.1x:
Supplicant
,
Authenticator
and
Authentication Server
.
In Figure 1, the PC acts as the supplicant. The supplicant is an entity being authenticated and desiring
access to the services of the authenticator.
The switch in Figure 1 is the authenticator. The authenticator enforces authentication before allowing
access to services that are accessible via that port. The authenticator is responsible for communication
with the supplicant and for submitting the information received from the supplicant to a suitable
authentication server. This allows the verification of user credentials to determine the consequent port
authorization state. It is important to note that the authenticator’s functionality is independent of the
actual authentication method. It effectively acts as a pass-through for the authentication exchange.
The RADIUS server in Figure 1 is the authentication server. The authentication server provides a
standard way of providing Authentication, Authorization, and Accounting services to a network.
