Cisco IOS Software support for 802.1x functionality can be leveraged to
improve security on telecommuter connections, where remote workers have single
or multiple computers in the home, and the user needs to prevent their spouse
or children from gaining access to the corporate network. Through the
application of default user policy, the spouse and children will have access to
the public internet, but not the business network.
Extranet VPN offers
another application for 802.1x access control, in which users at partner
facilities are not allowed to access corporate resources until their controlled
credentials are provided, ensuring that unauthorized users cannot access the
network and that traffic from network attacks does not cross into the
partner's network.
802.1x technology can be leveraged inside the enterprise to ensure that only
permitted users are allowed access to network connectivity resources. This
capability could be integrated with other workstation software components to
ensure that users' computers have all required software updates, such as
operating system service packs or antivirus software signature files. This
prevents users that represent a security risk from accessing restricted network
resources.
802.1x in Cisco IOS Increases Network Security and
Reliability
802.1x makes unauthorized access to protected resources
more difficult through the requirement of valid access credentials. By
deploying 802.1x, administrators effectively eliminate the possibility of users
deploying unauthorized wireless access points, resolving one of the biggest
issues of easy-to-deploy wireless network equipment.
Several components of 802.1x support in Cisco IOS Software offer capability
for increased security on access router platforms:
With 802.1x port-based
authentication, the devices in the network have specific roles as shown in
Figure
.
-
Client – the device, such as a workstation, that requests access to
the LAN and switch services and responds to the requests from the switch. The
workstation must be running 802.1x-compliant client.
-
Authentication server – performs the actual authentication of the
client. The authentication server validates the identity of the client and
notifies the switch whether or not the client is authorized to access the LAN
and switch services. Because the switch acts as the proxy, the authentication
service is transparent to the client. In this release, the RADIUS security
system with EAP extensions is the only supported authentication server. It is
available in Cisco Secure ACS version 3.0 and higher. RADIUS operates in a
client/server model in which secure authentication information is exchanged
between the RADIUS server and one or more RADIUS clients.
-
Switch – controls the physical access to the network based on the
authentication status of the client. The switch can be a Catalyst 3550 switch,
a Catalyst 2950 switch, or wireless access point. The switch acts as an
intermediary between the client and the authentication server, requesting
identity information from the client, verifying that information with the
authentication server, and relaying a response to the client. The switch
includes the RADIUS client, which is responsible for encapsulating and
decapsulating the EAP frames and interacting with the authentication
server.
When the switch receives EAP over LAN (EAPOL) frames and relays them to
the authentication server, the Ethernet header is stripped and the remaining
EAP frame is re-encapsulated in the RADIUS format. The EAP frames are not
modified or examined during encapsulation, and the authentication server must
support EAP within the native frame format. When the switch receives frames
from the authentication server, the server's frame header is removed,
leaving the EAP frame, which is then encapsulated for Ethernet and sent to the
client.