Filter
Top Products
Chapter 2. Architecting the solution 23
The IEEE 802.1x standard addresses the need to authenticate the user or client
trying to connect to the particular network. Point-to-Point Protocol (PPP) can be
used in a basic dial-up scenario, but it limits the authentication process to
checking only user and password matching. The Extensible Authentication
Protocol (EAP) was designed to provide transport for other authentication
methods. EAP extends PPP as a framework for several different authentication
methods, such as challenge-response tokens and PKI certificates.
IEEE 802.1X introduces three terms:
Supplicant The user or device that wants to be authenticated and
connect to the network.
Authenticator The device responsible for mediation between client
and authentication server. Typically this is a RAS
server for EAP-over-PPP, or a wireless access point or
switch for EAP-over-LAN.
Authentication server The server performing authentication, typically a
RADIUS server.
IEEE 802.1x was introduced to enable users to use EAP in a consistent way, with
either dial-up or LAN connection. It defines the way an EAP message is
packaged in an Ethernet frame so there is no need for PPP-over-LAN overhead.
On the other hand, Cisco NAC is a posture-based Network Admission Control
solution that enables control of who connects to the network and whether the
client workstation is
healthy and complies with all required security policies.
The Cisco Layer 3 NAC solution implements proprietary extensions to EAP and
uses User Datagram Protocol (UDP) as the transport for EAP (EAP-over-UDP, or
EOU). In Cisco’s Layer 2 NAC offerings, EAP is transported over 802.1x.
Using Cisco terminology
The Cisco Trust Agent performs the role of the supplicant. It provides the
authenticator, which is a NAC-enabled Cisco device, with the client’s posture
statement. The communication is performed using the EAP-over-UDP or
EAP-over-802.1X protocol. On the network device, the EAP header is
repackaged into RADIUS and sent to the Cisco Secure ACS server (performing
the role of an authentication server).
The main difference between IEEE 802.1x and the Cisco implementation lies in
the authentication process:
With generic IEEE 802.1x, the EAP header carries only identity information,
and authentication is performed using credentials provided by the supplicant.