Port-based Network Access and traffic control 39
Port-based Network Access and traffic control
Port-based Network Access control
Port-based Network Access control provides a means of authenticating and authorizing devices attached to a LAN
port that has point-to-point connection characteristics. It prevents access to ports that fail authentication and
authorization. This feature provides security to all ports of the GbE2c Ethernet Blade Switch.
The following topics are discussed in this section:
• Extensible Authentication Protocol over LAN
• 802.1x Authentication Process
• 802.1x Port States
• Supported RADIUS Attributes
• Configuration Guidelines
Extensible authentication protocol over LAN
GbE2c software can provide user-level security for its ports using the IEEE 802.1x protocol, which is a more secure
alternative to other methods of port-based network access control. Any device attached to an 802.1x-enabled port
that fails authentication is prevented access to the network and denied services offered through that port.
The 802.1x standard describes port-based network access control using Extensible Authentication Protocol over LAN
(EAPoL). EAPoL provides a means of authenticating and authorizing devices attached to a LAN port that has point-to-
point connection characteristics and of preventing access to that port in cases of authentication and authorization
failures.
EAPoL is a client-server protocol that has the following components:
• Supplicant or Client—The Supplicant is a device that requests network access and provides the required creden-
tials (user name and password) to the Authenticator and the Authentication Server.
• Authenticator—The Authenticator enforces authentication and controls access to the network. The Authenticator
grants network access based on the information provided by the Supplicant and the response from the
Authentication Server. The Authenticator acts as an intermediary between the Supplicant and the Authentication
Server: requesting identity information from the client, forwarding that information (encapsulated in RADIUS
packets) to the Authentication Server for validation, relaying the server’s responses to the client, and authorizing
network access based on the results of the authentication exchange. The GbE2c acts as an Authenticator.
• Authentication Server—The Authentication Server validates the credentials provided by the Supplicant to deter-
mine if the Authenticator should grant access to the network. The Authentication Server may be co-located with
the Authenticator. The switch relies on external RADIUS servers for authentication.
Upon a successful authentication of the client by the server, the 802.1x-controlled port transitions from unauthorized
to authorized state, and the client is allowed full access to services through the port. When the client sends an EAP-
Logoff message to the authenticator, the port will transition from authorized to unauthorized state.
802.1x authentication process
The clients and authenticators communicate using Extensible Authentication Protocol (EAP), which was originally
designed to run over PPP, and for which the IEEE 802.1x Standard has defined an encapsulation method over
Ethernet frames, called EAP over LAN (EAPOL).
To Next Page
Loading...
Need help?
General