Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
31323334353637383940
1-21
Access Control Concepts
Network Access Control Technologies
802.1X
The industry-standard Institute of Electrical and Electronics Engineers
(IEEE) 802.1X protocol provides the most secure form of network access
control. Its standardized framework enables vendor-neutral implementations.
802.1X binds the state of a user’s port (open or closed) to the user’s authenti-
cation state—ensuring that users are properly identified and controlled as
soon as they connect to a network.
Process. An endpoint follows this process to connect to a network that
enforces 802.1X authentication:
1. The endpoint, which is running an 802.1X supplicant, establishes a Data-
Link Layer connection to the PEP:
An Ethernet cable is plugged into a switch and the link opens.
A wireless endpoint associates with a wireless AP.
Note The 802.1X supplicant is usually running on an endpoint, as described in these
steps. However, network infrastructure devices can also have supplicants,
enabling them to authenticate to the network. For example, you might impose
802.1X authentication on all switch ports, even those to which APs connect.
You would then configure the 802.1X supplicants on legitimate APs so that
they could authenticate to the network and be granted access. Rogue APs, on
the other hand, would be denied access.
2. The PEP shuts down the connection to all traffic except EAP authentica-
tion messages. It sends an EAP challenge to the endpoints 802.1X suppli-
cant.
3. An 802.1X supplicant returns an EAP message that typically contains its
username. The PEP proxies the supplicant’s response to the authentica-
tion server and the server’s reply back to the supplicant, thereby creating
a logical connection between the supplicant and the authentication server.
4. Within this logical data tunnel, the supplicant and the authentication
server exchange authentication information. The exact process, as well
as the type of credentials exchanged and the security of the tunnel,
depends on the EAP method, which you will learn about later.
5. The authentication server verifies the user’s credentials against its own
or a centrally managed data store. The authentication server may also
retrieve policy information, such as rules for the times the user is allowed
on the network or rules specifying authorization instructions (for exam-
ple, a VLAN assignment).