Reference11r1:Interfaces/ETH/802.1X: Difference between revisions

From innovaphone wiki
Jump to navigation Jump to search
(New page: '''802.1X,''' Port-Based Network Control, is an IEEE standard. The standard allows LAN devices (wired network cabling!<ref>The standard refers to 802 LANs as a whole, including shared medi...)
 
(Customer feedback: Clarified that EAP-TLS settings re-use EAP-MD5 settings)
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
'''802.1X,''' Port-Based Network Control, is an IEEE standard. The standard allows LAN devices (wired network cabling!<ref>The standard refers to 802 LANs as a whole, including shared media such as 802.11 WLANs. However, only 802.3 LANs are targeted by the functionality discussed in this article.</ref>) to perform an authentication handshake within the 802.3 link layer (Ethernet).
;'''EAP-MD5''':
The authentication is encapsulated within EAP over LAN (EAPOL) frames. No other traffic, except EAPOL is allowed prior to a successful authentication<ref>It is an authenticator's task to guarantee that non-EAPOL traffic won't be forwarded before an authentication succeeded.</ref><ref>802.1X must not be considered a bullet-proof security mechanism, since all traffic following the authentication phase is not authenticated.</ref>.
* '''User''' Enter the user/identity to authenticate with.
* '''Password''' Enter the shared secret for the MD5 challenge/response handshake.
;'''EAP-TLS''':
The EAP-MD5 settings are going to reused for EAP-TLS needs. I.e. there's currently no extra setting for EAP-TLS. The configuration for an actual certificate, being fed into the EAP-TLS session, can be found at ''General/Certificates/Device Certificate''.
* '''User''' Enter the user/identity<ref>EAP-TLS doesn't mandate that identity to necessarily be the same as the certificates subject/CN</ref> to be sent within the EAP Identity request.<ref name="user-pw">A non-empty user/password just serves as an "on"-switch</ref>
* '''Password''' Enter arbitrary content.<ref name="user-pw"/>
* '''General/Certificates/Device Certificate'''


The standard specifies the following parties participating in an 802.1X authentication:
=Notes=
* Supplicant: The party supplying credentials towards an authenticator on the other side of a point-to-point link. An IP phone fulfills a supplicant's role.
<references/>
** innovaphones' IP phones are configured to support pass-through of EAPOL messages. A PC attached to the PC-port of a phone may also become a supplicant and may 802.1X-authenticate independently and separately<ref>Major authenticators do support multi-host authentication</ref>.
[[Concept_802.1X|Concept 802.1X]]
* Authenticator: The party facilitating the authentication. A switch will usually be the authenticator.
* Authentication Server: The party providing the authentication service to the authenticator. The 802.1X standard mentions a RADIUS server to be an authentication server.
 
'''Sample Protocol Flow:'''
 
[[Image:802dot1x-EAPOL-640x480.gif]]


''An 802.1X EAP-MD5<ref>innovaphone devices support the EAP-MD5 authentication handshake.</ref> authentication handshake<ref>Message 9 within the sample protocol flow from above does often piggy-back additional RADIUS attributes with the intent to configure VLAN parameters at the authenticator/switch device. 802.1x thereby allows for user-related VLAN configuration at the authenticator/switch.</ref>.''
[[Howto:802.1X_EAP-TLS_With_FreeRadius|Howto article: 802.1X EAP-TLS With FreeRadius]]
 
'''EAP-MD5:'''
* '''User:''' Enter the user/identity to authenticate with.
* '''Password:''' Enter the shared secret for the MD5 challenge/response handshake.
 
 
==Notes==
<references/>

Latest revision as of 11:29, 21 August 2015

EAP-MD5
  • User Enter the user/identity to authenticate with.
  • Password Enter the shared secret for the MD5 challenge/response handshake.
EAP-TLS

The EAP-MD5 settings are going to reused for EAP-TLS needs. I.e. there's currently no extra setting for EAP-TLS. The configuration for an actual certificate, being fed into the EAP-TLS session, can be found at General/Certificates/Device Certificate.

  • User Enter the user/identity[1] to be sent within the EAP Identity request.[2]
  • Password Enter arbitrary content.[2]
  • General/Certificates/Device Certificate

Notes

  1. EAP-TLS doesn't mandate that identity to necessarily be the same as the certificates subject/CN
  2. 2.0 2.1 A non-empty user/password just serves as an "on"-switch

Concept 802.1X

Howto article: 802.1X EAP-TLS With FreeRadius

Retrieved from "https://wiki.innovaphone.com/index.php?title=Reference11r1:Interfaces/ETH/802.1X&oldid=38903"