User manual
xStack DES-3800 Series Layer 3 Stackable Fast Ethernet Managed Switch
204
802.1x Port-Based and MAC-Based Access Control
The IEEE 802.1x standard is a security measure for authorizing and authenticating users to gain access to various wired or
wireless devices on a specified Local Area Network by using a Client and Server based access control model. This is
accomplished by using a RADIUS server to authenticate users trying to access a network by relaying Extensible
Authentication Protocol over LAN (EAPOL) packets between the Client and the Server. The following figure represents a
basic EAPOL packet:
Figure 11- 4. EAPOL Packet
Utilizing this method, unauthorized devices are restricted from connecting to a LAN through a port to which the user is
connected. EAPOL packets are the only traffic that can be transmitted through the specific port until authorization is
granted. The 802.1x Access Control protocol consists of three components, each of which is vital to creating and
maintaining a stable and working Access Control security method.
Figure 11- 5. Three Functions of 802.1x
The following section will explain Client, Authenticator, and Authentication Server in greater detail.
Authentication Server
The Authentication Server is a remote device that is connected to the same network as the Client and Authenticator, must
be running a RADIUS Server program and must be configured properly on the Authenticator (Switch). The Authentication
Server (RADIUS) must authenticate clients connected to a port on the Switch before attaining any services offered by the
Switch on the LAN. The role of the Authentication Server is to certify the identity of the Client attempting to access the
network by exchanging secure information between the RADIUS server and the Client through EAPOL packets and, in
turn, informs the Switch whether or not the Client is granted access to the LAN and/or switch services.