-27-
1.5.10 802.1X Port-Based Network Access Control
For some IEEE 802 LAN environments, it is desirable to restrict access to
the services offered by the LAN to those users and devices that are
permitted to make use of those services. IEEE 802.1X Port-based network
access control function provide a means of authenticating and authoriz-
ing devices attached to a LAN port that has point-to-point connection
characteristics, and of preventing access to that port in cases in which
the authentication and authorization process fails. The 802.1X standard
relies on the client to provide credentials in order to gain access to the
network. The credentials are not based on a hardware address. Instead,
they can be either a username/password combination or a certificate. The
credentials are not verified by the switch but are sent to a Remote Au-
thentication Dial-In User Service (RADIUS) server, which maintains a
database of authentication information. 802.1X consists of three compo-
nents for authentication exchange, which are as follows:
•
An 802.1X authenticator: This is the port on the switch that has
services to offer to an end device, provided the device supplies the
proper credentials.
•
An 802.1X supplicant: This is the end device; for example, a PC that
connects to a switch that is requesting to use the services (port) of the
device. The 802.1X supplicant must be able to respond to communicate.
•
An 802.1X authentication server: This is a RADIUS server that exam-
ines the credentials provided to the authenticator from the supplicant and pro-
vides the authentication service. The authentication server is responsible for
letting the authenticator know if services should be granted.