Reference9:Interfaces/ETH/802.1X

There are also other versions of this article available: Reference7 | Reference9 (this version) | Reference11r1 | Reference11r2

802.1X, Port-Based Network Control, is an IEEE standard. The standard allows LAN devices (wired network cabling!^[1]) to perform an authentication handshake within the 802.3 link layer (Ethernet). The authentication is encapsulated within EAP over LAN (EAPOL) frames. No other traffic, except EAPOL is allowed prior to a successful authentication^[2]^[3].

The standard specifies the following parties participating in an 802.1X authentication:

Supplicant: The party supplying credentials towards an authenticator on the other side of a point-to-point link. An IP phone fulfills a supplicant's role.
- innovaphones' IP phones are configured to support pass-through of EAPOL messages. A PC attached to the PC-port of a phone may also become a supplicant and may 802.1X-authenticate independently and separately^[4].
Authenticator: The party facilitating the authentication. A switch will usually be the authenticator.
Authentication Server: The party providing the authentication service to the authenticator. The 802.1X standard mentions a RADIUS server to be an authentication server.

Sample Protocol Flow:

An 802.1X EAP-MD5^[5] authentication handshake^[6].

EAP-MD5:

User: Enter the user/identity to authenticate with.
Password: Enter the shared secret for the MD5 challenge/response handshake.

Notes

↑ The standard refers to 802 LANs as a whole, including shared media such as 802.11 WLANs. However, only 802.3 LANs are targeted by the functionality discussed in this article.
↑ It is an authenticator's task to guarantee that non-EAPOL traffic won't be forwarded before an authentication succeeded.
↑ 802.1X must not be considered a bullet-proof security mechanism, since all traffic following the authentication phase is not authenticated.
↑ Major authenticators do support multi-host authentication
↑ innovaphone devices support the EAP-MD5 authentication handshake.
↑ Message 9 within the sample protocol flow from above does often piggy-back additional RADIUS attributes with the intent to configure VLAN parameters at the authenticator/switch device. 802.1x thereby allows for user-related VLAN configuration at the authenticator/switch.

[1] The standard refers to 802 LANs as a whole, including shared media such as 802.11 WLANs. However, only 802.3 LANs are targeted by the functionality discussed in this article.

[2] It is an authenticator's task to guarantee that non-EAPOL traffic won't be forwarded before an authentication succeeded.

[3] 802.1X must not be considered a bullet-proof security mechanism, since all traffic following the authentication phase is not authenticated.

[4] Major authenticators do support multi-host authentication

[5] vaphone devices support the EAP-MD5 authentication handshake.

[6] Message 9 within the sample protocol flow from above does often piggy-back additional RADIUS attributes with the intent to configure VLAN parameters at the authenticator/switch device. 802.1x thereby allows for user-related VLAN configuration at the authenticator/switch.

[1]

[2]

[3]

[4]

[5]

[6]

Reference9:Interfaces/ETH/802.1X

Notes

Navigation menu

Search