62
802.1X overview
802.1X is a port-based network access control protocol initially proposed for securing WLANs. The
protocol has also been widely used on Ethernet networks for access control.
802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
802.1X architecture
802.1X operates in the client/server model. As shown in
, 802.1X authentication includes the
folllowing entities:
•
Client (supplicant)
—A user terminal seeking access to the LAN. The terminal must have 802.1X
software to authenticate to the access device.
•
Access device (authenticator)
—Authenticates the client to control access to the LAN. In a typical
802.1X environment, the access device uses an authentication server to perform authentication.
•
Authentication server
—Provides authentication services for the access device. The authentication
server first authenticates 802.1X clients by using the data sent from the access device. Then, the
server returns the authentication results to the access device to make access decisions. The
authentication server is typically a RADIUS server. In a small LAN, you can use the access device
as the authentication server.
Figure 20
802.1X architecture
Controlled/uncontrolled port and port
authorization status
802.1X defines two logical ports for the network access port: controlled port and uncontrolled port. Any
packet arriving at the network access port is visible to both logical ports.
•
Uncontrolled port
—Is always open to receive and transmit authentication packets.
•
Controlled port
—Filters packets depending on the port's state.
{
Authorized state
—The controlled port is in authorized state when the client has passed
authentication. The port allows traffic to pass through.
{
Unauthorized state
—The port is in unauthorized state when the client has failed authentication.
The port controls traffic by using one of the following methods:
−
Performs bidirectional traffic control to deny traffic to and from the client.