IEEE 802.1X Overview. Port Based Network Access Control



Similar documents
IEEE 802.1X For Wireless LANs

Certficate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN. Daniel Schwarz

How To Secure Your Network With 802.1X (Ipo) On A Pc Or Mac Or Macbook Or Ipo On A Microsoft Mac Or Ipow On A Network With A Password Protected By A Keyed Key (Ipow)

What information will you find in this document?

Enhanced Intranet Management in a DHCP-enabled Environment

Executive Summary. This white paper includes the following sections: A.What Does 802.1x Do? B. An Overview of the 802.1x Standard

Using IEEE 802.1x to Enhance Network Security

Lecture 3. WPA and i

802.11b Wireless LAN Authentication, Encryption, and Security

Chapter 10 Security Protocols of the Data Link Layer

Switching in an Enterprise Network

How To Authenticate With Port Based Authentication

Objectives. Explain the Role of Redundancy in a Converged Switched Network. Explain the Role of Redundancy in a Converged Switched Network

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Configuring Wired 802.1x Authentication on Windows Server 2012

The 802.1x specification

Bridge Functions Consortium

User Authentication in the Enterprise Network

HARTING Ha-VIS Management Software

Understanding and Configuring 802.1X Port-Based Authentication

WLAN Security. Giwhan Cho Distributed/Mobile Computing System Lab. Chonbuk National University

What is VLAN Routing?

Network security, TKK, Nov

Network Authentication X Secure the Edge of the Network - Technical White Paper

802.1X Authentication, Link Layer Discovery Protocol (LLDP), and Avaya IP Telephones

Wireless Robust Security Networks: Keeping the Bad Guys Out with i (WPA2)

Interconnecting Cisco Networking Devices: Accelerated (CCNAX) 2.0(80 Hs) 1-Interconnecting Cisco Networking Devices Part 1 (40 Hs)

Management Switch User's Guide

Objectives. The Role of Redundancy in a Switched Network. Layer 2 Loops. Broadcast Storms. More problems with Layer 2 loops

SSVP SIP School VoIP Professional Certification

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

CHAPTER 10 LAN REDUNDANCY. Scaling Networks

Technical Note. CounterACT: 802.1X and Network Access Control

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

EVOLVING ENTERPRISE NETWORKS WITH SPB-M APPLICATION NOTE

FLORIDA STATE COLLEGE AT JACKSONVILLE COLLEGE CREDIT COURSE OUTLINE

A Dynamic Extensible Authentication Protocol for Device Authentication in Transport Layer Raghavendra.K 1, G. Raghu 2, Sumith N 2

LAN Switching Computer Networking. Switched Network Advantages. Hubs (more) Hubs. Bridges/Switches, , PPP. Interconnecting LANs

Port-Based Authentication

MAC Authentication Bypass

Network Security. Chapter 10 Security Protocols of the Data Link Layer

L2F Case Study Overview

CCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network

TRILL for Service Provider Data Center and IXP. Francois Tallet, Cisco Systems

Ha-VIS FTS 3000 Introduction and features

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)

Cisco 12 CCNA Certification

SSVVP SIP School VVoIP Professional Certification

Configuring Cisco Nexus 5000 Switches Course DCNX5K v2.1; 5 Days, Instructor-led

» WHITE PAPER X and NAC: Best Practices for Effective Network Access Control.

24 GE + 2 GE SFP L2 Managed Switch

AT-S63 and AT-S63 NE Version Management Software for the AT-9400 Series Layer 2+ Gigabit Ethernet Switches Software Release Notes

Security Technology White Paper

Network Security: WLAN Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

WLAN Access Security Technical White Paper. Issue 02. Date HUAWEI TECHNOLOGIES CO., LTD.

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

Networking 4 Voice and Video over IP (VVoIP)

Model 2120 Single Port RS-232 Terminal Server Frequently Asked Questions

Gigabit Ethernet Web Smart 8-Port Switch 2 Combo SFP Open Slot

CTS2134 Introduction to Networking. Module Network Security

Switch Configuration Required to Support Cisco ISE Functions

Interoperability between Avaya IP phones and ProCurve switches

48 GE PoE-Plus + 2 GE SFP L2 Managed Switch, 375W

QoS Switching. Two Related Areas to Cover (1) Switched IP Forwarding (2) 802.1Q (Virtual LANs) and 802.1p (GARP/Priorities)

Cisco Certified Network Associate - Design

Virtual LANs. or Raj Jain

CompTIA Network+ (Exam N10-005)

Configure WorkGroup Bridge on the WAP131 Access Point

Datasheet. Managed Gigabit Switches with SFP. Models: ES-24-Lite, ES-48-Lite. Non-Blocking Throughput Switching Performance

DSL Forum. Working Text WT-101

16-PORT POWER OVER ETHERNET WEB SMART SWITCH

Course Contents CCNP (CISco certified network professional)

Abstract. MEP; Reviewed: GAK 10/17/2005. Solution & Interoperability Test Lab Application Notes 2005 Avaya Inc. All Rights Reserved.

Network configuration for the IBM PureFlex System

Attacks Due to Flaw of Protocols Used In Network Access Control (NAC), Their Solutions and Issues: A Survey

Overview of Routing between Virtual LANs

Central Office Testing of Network Services

AT-S60 Version Management Software for the AT-8400 Series Switch. Software Release Notes

Network Access Security It's Broke, Now What? June 15, 2010

co Sample Configurations for Cisco 7200 Broadband Aggreg

802.1x in the Enterprise Network

User Manual 24 Port PoE 10/100/1000M with 4 Combo Gigabit SFP Open Slot Web Smart Switch

Local Address Management in IoT environments

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

TECHNICAL NOTE. GoFree WIFI-1 web interface settings. Revision Comment Author Date 0.0a First release James Zhang 10/09/2012

How To Switch In Sonicos Enhanced (Sonicwall) On A 2400Mmi 2400Mm2 (Solarwall Nametra) (Soulwall 2400Mm1) (Network) (

APPENDIX 3 LOT 3: WIRELESS NETWORK

Local Area Networking technologies Unit number: 26 Level: 5 Credit value: 15 Guided learning hours: 60 Unit reference number: L/601/1547

Datasheet. Managed Gigabit Fiber Switch. Model: ES-12F. Non-Blocking Throughput Switching. High Performance and Low Latency

CS 356 Lecture 29 Wireless Security. Spring 2013

Cisco Which VPN Solution is Right for You?

Cisco Small Business Smart Switches

Case Study - Configuration between NXC2500 and LDAP Server

Transcription:

IEEE 802.1X Overview Port Based Network Access Control

802.1X Motivation and History Increased use of 802 LANs in public and semi-public places Desire to provide a mechanism to associate end-user identity with the port of access to the LAN establish authorized access enable billing and accounting mechanisms personalize network access environment Leverage existing AAA infrastructure currently used by other forms of network access (e.g. dial-up). Initially intended for 802.1D, but since expanded to include other access devices (e.g. 802.11, smart repeater).

802.1X Overview A method for performing authentication to obtain access to IEEE 802 LANs. Ideally occurs at the first point of attachment (i.e. the edge). Specifies a protocol between devices desiring access to the bridged LAN and devices providing access to the bridged LAN. Specifies the requirements for a protocol between the Authenticator and an Authentication server (e.g. RADIUS). Specifies different levels of access control and the behavior of the port providing access to the bridged LAN. Specifies management operations via SNMP.

Definitions Authenticator The entity that requires the entity on the other end of the link to be authenticated. Supplicant The entity being authenticated by the Authenticator and desiring access to the services of the Authenticator. Port Access Entity (PAE) The protocol entity associated with a port. May support functionality of Authenticator, Supplicant or both. Authentication Server An entity providing authentication service to the Authenticator. Maybe co-located with Authenticator, but most likely an external server.

General Topology PAE Semi-Public Network / Enterprise Edge PAE Enterprise Network Authenticator (e.g. Edge Switch) EAP Over RADIUS EAP Over LANs (EAPOL) EAP Over RADIUS R A D I U S Authentication Server Suplicant

Principal of Operation Supplicant s System Supplicant PAE Authenticator s System Services Offered by Authenticator (e.g Bridge Relay) Authenticator PAE Authentication Server s System Authentication Server Controlled port Uncontrolled port Port Authorize MAC Enable LAN

Full Control and Partial Control Full Control prohibits transmission and reception through the controlled port unless authorized. Partial Control allows transmission through the controlled port to support Wake-on-LAN Partial Control may be changed to Full Control by higher layers (e.g. Bridge Detection software to avoid Spanning Tree Loops).

Protocol Overview Encapsulate the Extensible Authentication Protocol (RFC 2284) in 802 Frames (EAPOL) with a few extensions to handle unique characteristics of 802 LANs. EAP is a general protocol supporting multiple authentication methods (smart cards, Kerberous, public key, one-time password, etc). Authenticator passes authentication exchanges between supplicant and authentication server. Authenticator PAE enables the controlled port based upon the result of the authentication exchanges.

IEEE 802.1X Conversation Bridge Laptop computer EAPOL-Start Port connect EAPOL EAP-Request/Identity Ethernet Access blocked Radius Server RADIUS EAP-Response/Identity EAP-Request EAP-Response (cred) EAP-Success Radius-Access-Request Radius-Access-Challenge Radius-Access-Request Radius-Access-Accept Access allowed

Possible Additional Services Allow port VLAN membership to be assigned as outcome of authentication enables the un-authenticated VLAN enables end-station manageability after failed authentication enables the association of VLAN assignment to user identity Allow mechanism to initiate LAN usage accounting. Supports a mechanism to associate incoming traffic priority with user identity Exchange of 802.11 session keys

802.1X Summary Low impact mechanism for addressing enduser authenticated access to 802 LANs Applicable to a variety of access devices (e.g. 802.1D bridges, 802.11 APs, Smart 802.3 repeaters, DSL environments) Leverages existing AAA infrastructure Extensible protocol to support future authentication methods.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information