Reference7:Configuration/ETH/802.1X

From innovaphone wiki
Revision as of 18:11, 24 July 2008 by Inno-mst (talk | contribs) (New page: 802.1X, Port-Based Network Control, is an IEEE standard. The standard allows LAN devices (wired network cabling!) to perform an authentication handshake within the 802.3 link layer (Ethern...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
There are also other versions of this article available: Reference7 (this version) | Reference9 | Reference11r1 | Reference11r2 | Reference15r1

802.1X, Port-Based Network Control, is an IEEE standard. The standard allows LAN devices (wired network cabling!) to perform an authentication handshake within the 802.3 link layer (Ethernet). The authentication is encapsulated within EAP over LAN (EAPOL) frames. No other traffic, except EAPOL is allowed prior to a successful authentication[1].

The standard specifies the following parties participating in an 802.1X authentication:

  • Supplicant: The party supplying credentials towards an authenticator on the other side of a point-to-point link. An IP phone fulfills a supplicant's role.
  • Authenticator: The party facilitating the authentication. A switch will usually be the authenticator.
  • Authentication Server: The party providing the authentication service to the authenticator. The 802.1X standard mentions a RADIUS server to be an authentication server.

Sample Protocol Flow:

An 802.1X EAP-MD5[2] authentication handshake[3].

EAP-MD5:

  • User: Enter the user/identity to authenticate with.
  • Password: Enter the shared secret for the MD5 challenge/response handshake.


Notes

  1. 802.1X must not be considered a bullet-proof security mechanism, since all traffic following the authentication phase is not authenticated
  2. innovaphone devices support the EAP-MD5 authentication handshake.
  3. Message 9 within the sample protocol flow from above does often piggy-back additional RADIUS attributes with the intent to configure VLAN parameters at the authenticator/switch device. 802.1x thereby allows for user-related VLAN configuration at the authenticator/switch.