I
RON
S
HIELD
W
HITE
P
APER
W
HITE
P
APER
: 802.1X P
ORT
A
UTHENTICATION
W
ITH
M
ICROSOFT
’
S
A
CTIVE
D
IRECTORY
802.1X Port Authentication Basics
Foundry’s implementation of 802.1X Port Authentication is based on a series of standards:
• RFC 2284 PPP Extensible Authentication Protocol (EAP)
• RFC 2865 Remote Authentication Dial In User Service (RADIUS)
• RFC 2869 RADIUS Extensions
There are three components that are used to create an authentication mechanism based on 802.1X standards:
Client/Supplicant, Authenticator, Authentication Server.
Client/Supplicant
The client, or supplicant, is the device that needs authenticating to the network.
It supplies the username and password information to the Authenticator. The
client uses the Extensible Authentication Protocol (EAP) to talk to the
Authenticator.
Authenticator
The Authenticator is the Foundry device performing the 802.1X port security and
it controls access to the network. The Authenticator receives the username and
password information from the client, passes it onto the Authentication Server,
and performs the necessary block or permit action based on the results from the
Authentication Server. The Authenticator uses RADIUS to speak to the
Authentication Server.
Authentication Server
The Authentication Server validates the username and password information
from the Client and specifies whether or not access is granted. The
Authentication Server may also specify optional parameters to control things
such as VLAN access. Foundry’s 802.1X implementation currently supports
standard RADIUS Authentication Servers.
802.1X Clients use the Extensible
Authentication Protocol (EAP) and EAP Over
LAN (EAPOL) to securely encapsulate the
communications between the Client and
Authenticator. The Authenticator uses
RADIUS to communicate with the
Authentication Server.
Before the Client is authenticated, the
network port is set to the
uncontrolled
(unauthorized) state and only allows EAPOL
authentication traffic between the Client and
the Authentication Server. All other normal
data traffic is blocked. When the client
authentication is complete and access is
granted, the
controlled port is set in the
authorized state to grant full network
access.
Figure 1. Port Authentication Process
March 2003
©2003 Foundry Networks, Inc.
4
Version 1.0.0
All Rights Reserved.
Chia sẻ với bạn bè của bạn: |