|
Port-based Network Access Control
802.1X provides port-based authentication, which involves communication between a supplicant, an authenticator, and the authentication server. The supplicant is often software on a client device, such as a laptop, the authenticator is a wired Ethernet switch or wireless a
ccess point, and an authentication server is generally a RADIUS database. The authenticator acts like a security guard to a protected network. The suppliant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity is authenticated.
With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the credentials are valid (in the authentication server database), the supplicant (client device) is allowed to access resources located on the protected side of the network.
Upon detection of the new client (supplicant), the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as DHCP and HTTP, is blocked at the data link layer. The authenticator sends out the EAP-Request identity to the supplicant, the supplicant responds with the EAP-response packet that the authenticator forwards to the authenticating server. If the authenticating server accepts the request, the authenticator sets the port to the "authorized" mode and normal traffic is allowed. When the supplicant logs off, it sends an EAP-logoff message to the authenticator. The authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.
Prerequisites
The concept of port-based authentication via 802.1x enables implementation of an intelligent and secure network. Careful planning is, hoewever, essential. The following pre-requisites must be met:
- Furnish uniform 802.1x -enabled switch components
- Prepare a VLAN – concept
- Protect transitions between VLANs
- All end user devices must possess a supplicant and be provided with a certificate
- If Wake-on-LAN functionality is part of your client management strategy, this must be considered when selecting components
- The central Radius server must be highly available! All network activity will subside, should it become unavailable
Any end-user devices that cannot be provided wit a „Supplicant“ , and any network segments that do not support authentication, must be provided with a MAC-based solution (macmon).
Implementation approach
Our security experts can assist you in specifying and implementing 802.1x-security concepts.
In the case that any technical prerequisite is currently not available in the present IT architecture, we recommend as short-term measure to implement LAN access-protection via macmon. The architecture thus configured should be maintained to protect any non-802.1x-compatible systems in the future.
Further information is available in our downloads. |
Online-SelfCheck Ermitteln Sie hier Ihren Sicherheitsstatus im Vergleich zu anderen Unternehmen!
macmon Webinare für IT-Profis.Sie möchten mehr über macmon & Ihre Vorteile er- fahren? Hier kostenfrei anmelden.