802.1x is a public standard that defines port-based user authentication. 802.1x is also a mechanism for user identity and authentication over both wired and wireless network infrastructures. 802.1x is considered by many to be fairly complex, with several Extensible Authorization Protocol (EAP) types that define how authentication is implemented on the network. This chapter attempts to demystify 802.1x, provide an overview of Cisco Identity-Based Networking Services (IBNS) and machine authentication, and discuss how 802.1x can complement Network Admission Control (NAC). In this chapter, you also learn the basics of some of the most popular EAP types and how 802.1x can participate in an EzVPN network for telecommuting and remote branch offices.
Fundamentals of 802.1x
The IEEE 802.1x standard is designed to provide port-based user authentication onto a network. Prior to the 802.1x standard, many mechanisms existed to determine if a user was authorized to join the network. However, these mechanisms were often proprietary and typically were often independent of the port or entrance point in to the network. The ability to define port or link-layer authentication to the network allows the ability to assign a user or group of users network access policy attributes including virtual LAN (VLAN) and access control lists (ACLs) when the user authenticates and logs on to the network. IEEE 802.1x provides a standard mechanism for port or link-level user authentication and works in concert with traditional port-level security.
An example of traditional port-level security is the ability to specify what MAC addresses, or layer 2 addresses, are allowed through a particular Catalyst LAN switch port. In addition to user-based authentication, IEEE 802.1x can also support device-based authentication to authenticate a device name to a certificate authority or to a Windows Active Directory system prior to user authentication. The IEEE 802.1x standard was designed to provide an open, secure, and scalable mechanism for port-based or link-layer user authentication.
802.1x comprises the following three major components:
Authentication server—The authentication server is an 802.1x server and often contains other user authentication services like Remote Authentication Dial-In User Service (RADIUS). The authentication server often provides user authentication services for both 802.1x and other access methods like remote access IPSec VPNs. Cisco Secure Access Control Server (ACS) is an example of an authentication server.
Authenticator—The authentication client, or authenticator, is the network component that receives the initial request for port-based user authentication. The authenticator is typically a switch or wireless access-point.
Supplicant—The supplicant resides on the end-device, like a laptop, desktop computer, or PDA. Some end-device platforms, including the pervasive Microsoft XP, contain a native 802.1x supplicant. Full-featured 802.1x supplicants can also be purchased from third parties for Windows and other platforms, including Linux and MacOS.
IEEE 802.1x defines a PPP connection between the end-device supplicant (for example, PC) and authenticator (for example, Catalyst LAN switch). IEEE 802.1x allows EAP messages to be transported between the supplicant and the authentication server. Communication between the authenticator and authentication server (for example, Cisco Access Control Server [ACS]) is performed with the RADIUS protocol. Figure 5-1 displays an example of the 802.1x components in a network.
Figure 5-1 802.1x Network