3com 8807 User Guide
25
802.1
X
C
ONFIGURATION
802.1x Overview
802.1x Standard
Overview
IEEE 802.1x (hereinafter simplified as 802.1x) is a port-based network access
control protocol that is used as the standard for LAN user access authentication.
control protocol that is used as the standard for LAN user access authentication.
In the LANs complying with the IEEE 802 standards, the user can access the
devices and share the resources in the LAN through connecting the LAN access
control device like the LAN Switch. However, in telecom access, commercial LAN (a
typical example is the LAN in the office building) and mobile office etc., the LAN
providers generally hope to control the user’s access. In these cases, the
requirement on the above-mentioned "Port Based Network Access Control"
originates.
devices and share the resources in the LAN through connecting the LAN access
control device like the LAN Switch. However, in telecom access, commercial LAN (a
typical example is the LAN in the office building) and mobile office etc., the LAN
providers generally hope to control the user’s access. In these cases, the
requirement on the above-mentioned "Port Based Network Access Control"
originates.
As the name implies, "Port Based Network Access Control" means to authenticate
and control all the accessed devices on the port of LAN access control device. If the
user’s device connected to the port can pass the authentication, the user can
access the resources in the LAN. Otherwise, the user cannot access the resources
in the LAN. It equals that the user is physically disconnected.
and control all the accessed devices on the port of LAN access control device. If the
user’s device connected to the port can pass the authentication, the user can
access the resources in the LAN. Otherwise, the user cannot access the resources
in the LAN. It equals that the user is physically disconnected.
802.1x defines port based network access control protocol and only defines the
point-to-point connection between the access device and the access port. The
port can be either physical or logical. The typical application environment is as
follows: Each physical port of the LAN Switch only connects to one user
workstation (based on the physical port) and the wireless LAN access environment
defined by the IEEE 802.11 standard (based on the logical port), etc.
point-to-point connection between the access device and the access port. The
port can be either physical or logical. The typical application environment is as
follows: Each physical port of the LAN Switch only connects to one user
workstation (based on the physical port) and the wireless LAN access environment
defined by the IEEE 802.11 standard (based on the logical port), etc.
802.1x System
Architecture
The system using the 802.1x is the typical C/S (Client/Server) system architecture. It
contains three entities, which are illustrated in Figure 58: Supplicant System,
Authenticator System and Authentication Sever System.
contains three entities, which are illustrated in Figure 58: Supplicant System,
Authenticator System and Authentication Sever System.
The LAN access control device needs to provide the Authenticator System of
802.1x. The devices at the user side such as the computers need to be installed
with the 802.1x client Supplicant software, for example, the 802.1x client
provided by 3Com Corporation Co., Ltd. (or by Microsoft Windows XP). The
802.1x Authentication Sever system normally stays in the carrier’s AAA center.
802.1x. The devices at the user side such as the computers need to be installed
with the 802.1x client Supplicant software, for example, the 802.1x client
provided by 3Com Corporation Co., Ltd. (or by Microsoft Windows XP). The
802.1x Authentication Sever system normally stays in the carrier’s AAA center.
Authenticator and Authentication Sever exchange information through EAP
(Extensible Authentication Protocol) frames. The Supplicant and the Authenticator
exchange information through the EAPoL (Extensible Authentication Protocol over
LANs) frame defined by IEEE 802.1x. Authentication data are encapsulated in the
EAP frame, which is to be encapsulated in the packets of other AAA upper layer
protocols (e.g. RADIUS) so as to go through the complicated network to reach the
Authentication Server. Such procedure is called EAP Relay.
(Extensible Authentication Protocol) frames. The Supplicant and the Authenticator
exchange information through the EAPoL (Extensible Authentication Protocol over
LANs) frame defined by IEEE 802.1x. Authentication data are encapsulated in the
EAP frame, which is to be encapsulated in the packets of other AAA upper layer
protocols (e.g. RADIUS) so as to go through the complicated network to reach the
Authentication Server. Such procedure is called EAP Relay.