IEEE 802.

1X

PORT BASED NETWORK ACCESS

CONTROL

1
 DEFINITION

 “Port-based network access control allows a network

administrator to restrict the use of IEEE 802 LAN service
access points (ports) to secure communication between
authenticated and authorized devices”.

 “IEEE std 802.1X specifies an architecture, functional

elements, and protocols that support mutual authentication
between the clients of ports attached to same LAN and
secure communication between the ports”.
2
 USING IEEE 802.1X
 Purpose:
a) Port authentication
b) Access control

 Used in both wired and wireless networks

 Primary goal: to allow for controlled access to the LAN environment
 Authentication of Layer 2 devices
 Before a device is allowed to connect to the physical or logical port
of a switch or a wireless access point, it first needs to be authenticated
and authorized.
 Example Uses: Ethernet, Token Ring, 802.11 WLAN

3
 FUNCTION OF PBNAC

 Port-based network access control regulates access to the

network, guarding against transmission and reception by
unidentified or unauthorized parties, and consequent network
disruption, theft of service, or data loss.

4
 PBNAC

 It provides an authentication mechanism to devices wishing to

attach to a LAN or WLAN.

 IEEE 802.1X defines the Encapsulation of the extensible

authentication protocol (EAP) over IEEE 802 which is known
as “EAP over LAN” or EAPOL

5
 WHAT IS IEEE 802.1X ?
 IEEE 802.1x is the IEEE standard for Port based Network
Access Control.
 It provides an authentication mechanism to devices
attaching to LAN or WLAN infrastructure.
 IEEE 802.1x defines the encapsulation of the Extensible
Authentication Protocol over Ethernet type networks.
 Works between the supplicant and the authenticator.
6
 WHY IEEE 802.1X ?

 For the purpose of providing compatible authentication,

authorization, and cryptographic key agreement mechanisms
to support secure communication between devices connected
by IEEE 802® Local Area Networks (LANs), this standard ,

 Specifies a general method for provision of port-based

network access control.
7
IEEE 802.1X ENTITIES

8
802.1X authentication involves three entities;

 A Supplicant (Which is a Client)

 A Authenticator ( an access point)
 An Authentication Server

9
1. Supplicant:
• requests to connect to a LAN

2. Authenticator:
• responsible for initiating the authentication process
• Acting as a relay between the authentication server and
the supplicant

3. Authentication server:
• responsible for doing the actual authentication &
authorization

10
PAE (PORT ACCESS ENTITY)
 The Port Access Entity (PAE) operates the algorithms and protocols associated
with the authentication mechanisms for a given Port of the System.

 In the Supplicant role, the PAE is responsible for responding to requests from an
Authenticator for information that will establish its credentials. The PAE that
performs the Supplicant role in an authentication exchange is known as the
Supplicant PAE.

 In the Authenticator role, the PAE is responsible for communication with the
Supplicant, and for submitting the information received from the Supplicant to a
suitable Authentication Server in order for the credentials to be checked and for
the consequent authorization state to be determined.

 The PAE that performs the Authenticator role in an authentication exchange is 11

known as the Authenticator PAE.

PORT-BASED NETWORK ACCESS
ARCHITECTURE

12
 TERMS IN ARCHITECTURE

 Supplicant : The user or client to be authenticated

 Radius Server: The server which does the
authentication
 Authenticator: The device between the Supplicant
and the radius server
 EAPOL: Extensible Authentication Protocol Over
LANs
13
KEY ASPECTS:

 Supplicant = End Station Software

 Authenticator = Wired Switch or SSID
 Authentication Server = Ensures certificate or passwords
are correct.

14
15
 16
SEQUENCE DIAGRAM OF 802.1X PROGRESSION
Explanation:
 The authenticator sends an EAP request packet to the
supplicant.
 The supplicant sends an EAP packet to the authenticator.
 The authenticator sends a packet to radius server
 The radius server challenges the authenticator with a token or
password.

17
CONTD..

 The authenticator changes it from the IP to EAPOL.

 The supplicant responds to the challenge and passes it to
the authentication server.
 If there’s a successful challenge, then the authentication
server responds with a success message allowing access to
the LAN.

18
 AUTHENTICATION USING EAP

 The Extensible Authentication Protocol can be used to

mutually authenticate a Supplicant PAE and an Authenticator
PAE, each associated with a Port attached to the same LAN.

 EAP is a general protocol that supports multiple

authentication mechanisms including the use of Kerberos,
Public Key Encryption, and One Time Passwords.

19
 PORT BASED NETWORK ACCESS
CONTROL APPLICATIONS
 Host access using individual, physically secure, point-to-point
LANs
 Infrastructure support with physically secure, point-to-point
LANs
 Host access using MAC and point-to-point or multi-access
LANs
 Infrastructure LANs using MAC
 Group host access using MAC
20
 Virtual shared media infrastructure LANs using MAC
 REFERENCES

 IEEE 802.1x Port-Based Network Access Control

Overview
 https://en.wikipedia.org/wiki/IEEE_802.1X

21
THANK YOU !

22