14. Introducing 802.1x
» 802.1X is an IEEE Standard for port-based Network
Access Control (PNAC). It is part of
the IEEE802.1 group of networking protocols. It provides
an authentication mechanism to devices wishing to
attach to a LAN or WLAN.
15. Component Protocols
Two protocols involved in authentication
conversation
EAPoL exchanged between Supplicant and
Authenticator
EAPoL - Extensible Authentication Protocol over
LAN is the protocol defined in IEEE802.1x
RADIUS exchanged between
Authenticator and
Authentication Server
RADIUS has received specific
extensions to interoperate with
EAPoL
17. Dynamic Vlan Assigment / Guest Vlan
Voice
VLAN 30
Data
VLAN 20
Router
Guest
Vlan 10
RADIUS
Server
Link Aggregation
Core Switches
(stacked)
Link Aggregation
Authentication
Switches
PC
Vlan
10
IP Phone
VLAN30
Linux
VLAN20
PC
Vlan 10
PC VLAN20
IP Phone
VLAN30
Printer
VLAN20
18. Allied Telesis & Microsoft NAP
RADIUS
Server
Windows Server 2008
( Network Policy Server
(NPS), Domain Controller)
NIC TEAMING/802.3ad
Core Switches
(stacked)
Link Aggregation
Authentication
Switches
Windows Vista Windows Vista
VLAN10
VLAN30
IP Phone
VLAN40
Printer
VLAN30
802.1x Authentication
Supplicant MAC
RADIUS stands for Remote Authentication Dial In User Service.
It is an authentication service that was first defined in RFC2058 in 1997. It has been extended significantly in further RFCs since then.
This diagram illustrates an exchange that is using the EAP-MD5 authentication method, which is the simplest authentication method supported by 802.1x.
The EAPol logoff message, of course, is not sent immediately after the other messages in the diagram, but is sent later on, at the end of the supplicant’s data session, when it wishes to disconnect from the network.