Reference7:Configuration/ETH/802.1X: Difference between revisions
Jump to navigation
Jump to search
(New page: 802.1X, Port-Based Network Control, is an IEEE standard. The standard allows LAN devices (wired network cabling!) to perform an authentication handshake within the 802.3 link layer (Ethern...) |
m (detailing) |
||
Line 1: | Line 1: | ||
802.1X, Port-Based Network Control, is an IEEE standard. The standard allows LAN devices (wired network cabling!) to perform an authentication handshake within the 802.3 link layer (Ethernet). | '''802.1X,''' Port-Based Network Control, is an IEEE standard. The standard allows LAN devices (wired network cabling!<ref>The standard refers to 802 LANs as a whole, including shared media such as 802.11 WLANs. However, only 802.3 LANs are targeted by the functionality discussed in this article.</ref>) to perform an authentication handshake within the 802.3 link layer (Ethernet). | ||
The authentication is encapsulated within EAP over LAN (EAPOL) frames. No other traffic, except EAPOL is allowed prior to a successful authentication<ref>802.1X must not be considered a bullet-proof security mechanism, since all traffic following the authentication phase is not authenticated</ref>. | The authentication is encapsulated within EAP over LAN (EAPOL) frames. No other traffic, except EAPOL is allowed prior to a successful authentication<ref>It is an authenticator's task to guarantee that non-EAPOL traffic won't be forwarded before an authentication succeeded.</ref><ref>802.1X must not be considered a bullet-proof security mechanism, since all traffic following the authentication phase is not authenticated.</ref>. | ||
The standard specifies the following parties participating in an 802.1X authentication: | The standard specifies the following parties participating in an 802.1X authentication: | ||
Line 14: | Line 14: | ||
'''EAP-MD5:''' | '''EAP-MD5:''' | ||
* User: Enter the user/identity to authenticate with. | * '''User:''' Enter the user/identity to authenticate with. | ||
* Password: Enter the shared secret for the MD5 challenge/response handshake. | * '''Password:''' Enter the shared secret for the MD5 challenge/response handshake. | ||
==Notes== | ==Notes== | ||
<references/> | <references/> |
Revision as of 22:56, 24 July 2008
802.1X, Port-Based Network Control, is an IEEE standard. The standard allows LAN devices (wired network cabling![1]) to perform an authentication handshake within the 802.3 link layer (Ethernet). The authentication is encapsulated within EAP over LAN (EAPOL) frames. No other traffic, except EAPOL is allowed prior to a successful authentication[2][3].
The standard specifies the following parties participating in an 802.1X authentication:
- Supplicant: The party supplying credentials towards an authenticator on the other side of a point-to-point link. An IP phone fulfills a supplicant's role.
- Authenticator: The party facilitating the authentication. A switch will usually be the authenticator.
- Authentication Server: The party providing the authentication service to the authenticator. The 802.1X standard mentions a RADIUS server to be an authentication server.
Sample Protocol Flow:
An 802.1X EAP-MD5[4] authentication handshake[5].
EAP-MD5:
- User: Enter the user/identity to authenticate with.
- Password: Enter the shared secret for the MD5 challenge/response handshake.
Notes
- ↑ The standard refers to 802 LANs as a whole, including shared media such as 802.11 WLANs. However, only 802.3 LANs are targeted by the functionality discussed in this article.
- ↑ It is an authenticator's task to guarantee that non-EAPOL traffic won't be forwarded before an authentication succeeded.
- ↑ 802.1X must not be considered a bullet-proof security mechanism, since all traffic following the authentication phase is not authenticated.
- ↑ innovaphone devices support the EAP-MD5 authentication handshake.
- ↑ Message 9 within the sample protocol flow from above does often piggy-back additional RADIUS attributes with the intent to configure VLAN parameters at the authenticator/switch device. 802.1x thereby allows for user-related VLAN configuration at the authenticator/switch.