106 Device Security
802.1x Network Access Control
Port-based network access control allows the operation of a system’s port(s) to be controlled to ensure
that access to its services is permitted only by systems that are authorized to do so.
Port Access Control provides a means of preventing unauthorized access by supplicants or users to the
services offered by a system. Control over the access to a switch and the LAN to which it is connected
can be desirable in order to restrict access to publicly accessible bridge ports or departmental LANs.
The PowerConnect 6200 Series switch achieves access control by enforcing authentication of supplicants
that are attached to an authenticator’s controlled ports. The result of the authentication process
determines whether the supplicant is authorized to access services on that controlled port.
A PAE (Port Access Entity) can adopt one of two roles within an access control interaction:
• Authenticator – Port that enforces authentication before allowing access to services available via that
Port.
• Supplicant – Port that attempts to access services offered by the Authenticator.
Additionally, there exists a third role:
• Authentication server – Server that performs the authentication function necessary to check the
credentials of the supplicant on behalf of the Authenticator.
Completion of an authentication exchange requires all three roles. The PowerConnect 6200 Series
switch supports the authenticator role only, in which the PAE is responsible for communicating with the
supplicant. The authenticator PAE is also responsible for submitting information received from the
supplicant to the authentication server in order for the credentials to be checked, which determines the
authorization state of the port. Depending on the outcome of the authentication process, the
authenticator PAE then controls the authorized/unauthorized state of the controlled Port.
Authentication is accomplished via an external authentication server:
• Remote Authentication Dial-In User Service (RADIUS)
• Terminal Access Controller Access Control System (TACACS+)
802.1x Network Access Control Examples
This section contains examples of the CLI commands used to configure 802.1X.
Example #1: Configure RADIUS Server for Authentication
This example configures a single RADIUS server used for authentication at 10.10.10.10. The shared
secret is configured to be
secret
. The process creates a new authentication list, called radiusList, which
uses RADIUS as the authentication method. This authentication list is associated with the 802.1x
default login. 802.1x port based access control is enabled for the system, and interface 1/g1 is configured
to be in force-authorized mode because this is where the RADIUS server and protected network
resources are located.