62
4-2-8. 802.1X
802.1x port-based network access control provides a method to restrict users
to access network resources via authenticating user’s information. This restricts
users from gaining access to the network resources through a 802.1x-enabled port
without authentication. If a user wishes to touch the network through a port under
802.1x control, he (she) must firstly input his (her) account name for authentication
and waits for gaining authorization before sending or receiving any packets from a
802.1x-enabled port.
Before the devices or end stations accessing the network resources through
the ports under 802.1x control, the devices or end stations connects to a controlled
port by sending the authentication request to the authenticator, the authenticator
passes the request to the authentication server to authenticate and verify, and the
server tells the authenticator if the request get the grant of authorization for the
ports.
According to IEEE802.1x, there are three components implemented. They
are Authenticator, Supplicant and Authentication server shown in Fig. 4-13.
Supplicant:
It is an entity being authenticated by an authenticator. It is used to
communicate with the Authenticator PAE (Port Access Entity) by
exchanging the authentication message when the Authenticator PAE
request is sent to it.
Authenticator:
An entity facilitates the authentication of the supplicant entity. It controls
the state of the port, authorized or unauthorized, according to the result
of authentication message exchanged between it and a supplicant PAE.
The authenticator may request the supplicant to re-authenticate itself at a
configured time period. Once start re-authenticating the supplicant, the
controlled port keeps in the authorized state until re-authentication fails.
A port acting as an authenticator is thought to be two logical ports, a
controlled port and an uncontrolled port. The controlled port can only
pass the packets when the authenticator PAE is authorized, and on the
other hand, the uncontrolled port will unconditionally pass the packets
with PAE group MAC address, which has the value of 01-80-c2-00-00-03
and will not be forwarded by MAC bridge, at any time.
Authentication server:
A device provides authentication service, through EAP (
Extensible
Authentication Protocol), to an authenticator by using authentication
credentials supplied by the supplicant to determine if the supplicant is
authorized to access the network resource.
The overview of operation flow for the Fig. 4-13 is quite simple. When
Supplicant PAE issues a request to Authenticator PAE, the Authenticator
and Supplicant will exchange authentication message. Then, the
Authenticator passes request to RADIUS server to verify. Finally,
RADIUS server replies if the request is granted or denied.