Xerox NS-2260 User Manual

1.5.10 802.1X Port-Based Network Access Control

For some IEEE 802 LAN environments, it is desirable to restrict access to the services offered by the LAN
to those users and devices that are permitted to make use of those services. IEEE 802.1X Port-based
network access control function provide a means of authenticating and authorizing devices attached to a
LAN port that has point-to-point connection characteristics, and of preventing access to that port in cases in
which the authentication and authorization process fails. The 802.1X standard relies on the client to provide
credentials in order to gain acces s to the network. The credentials are not based on a hardware address.
Instead, they can be either a username/password combination or a certificate. The credentials are not
verified by the switch but are sent to a Remote Authentication Dial-In User Service (RADIUS) server,
which maintains a database of authentication information. 802.1X consists of three components for
authentication exchange, which are as follows:

_

An 802.1X authenticator: This is the port on the switch that has services to offer to an end device,

provided the device supplies the proper credentials.

_

An 802.1X supplicant: This is the end device; for example, a PC that connects to a switch that is

requesting to use the services (port) of the device. The 802.1X supplicant must be able to respond to
communicate.

_

An 802.1X authentication server: This is a RADIUS server that examines the credentials provided to the authenticator from the supplicant and provides

the authentication service. The authentication server is responsible for letting the authenticator know if services should be granted.
The 802.1X authenticator operates as a go-between with the supplicant and the authentication server to
provide services to the network. When a switch is configured as an authenticator, the ports of the switch
must then be configured for authorization. In an authenticator-initiated port authorization, a client is
powered up or plugs into the port, and the authenticator port sends an Extensible Authentication Protocol
(EAP) PDU to the supplicant requesting the identification of the supplicant. At this point in the process, the
port on the switch is connected from a physical standpoint; however, the 802.1X process has not authorized
the port and no frames are passed from the port on the supplicant into the switching engine. If the PC
attached to the switch did not understand the EAP PDU that it was receiving from the switch, it would not
be able to send an ID and the port would remain unauthorized. In this state, the port would never pass any
user traffic and would be as good as disabled. If the client PC is running the 802.1X EAP, it would respond
to the request with its configured ID. (This could be a username/password combination or a certificate.)

After the switch, the authenticator receives the ID from the PC (the supplicant). The switch then passes the
ID information to an authentication server (RADIUS server) that can verify the identification information.
The RADIUS server responds to the switch with either a success or failure message. If the response is a
success, the port will be authorized and user traffic will be allowed to pass through the port like any switch
port connected to an access device. If the response is a failure, the port will remain unauthorized and,
therefore, unused. If there is no response from the server, the port will also remain unauthorized and will
not pass any traffic.

The following configuration settings are required in the switch to make 802.1X function work: