Identity-Based Networking Services (IBNS)
802.1x components

802.1x can be deployed to authenticate users, such as desktop users in a corporation or teleworkers accessing the network form a home office. In the home office scenario, access control is required in order to prevent other residents from the home from gaining access to controlled corporate resources . The authenticator and supplicant are the two components are used to implement 802.1x functionality. The authenticator is a network component that checks credentials and applies the access policy, usually implemented on a router, switch, or wireless access point. The supplicant is a software component on users' workstation that answers the challenge from the authenticator. Supplicant functionality may also be implemented on network devices in order to authenticate to upstream devices. Mutual authentication functionality may also be employed when network devices must restrict access policy to each other. Cisco IOS Software does not currently support mutual authentication.

In the simplest scenario, no traffic is allowed to flow from a client device to the network until the client authenticates. 802.1x frames are the only traffic between the client, or supplicant, and the access-control device, or authenticator. A user trying to access network resources must provide access credentials using software on the client workstation. Microsoft Windows XP includes 802.1x supplicant support, while an add-on component for Microsoft Windows 2000 is available as a Microsoft Hotfix.

When the user provides their credentials, the information is transmitted to the authenticator by some variant of EAP. The user's information is encrypted in the EAP transfer, so that their credentials cannot be easily compromised. The authenticator will transmit the credentials to the AAA server, which will verify the user credentials against its database. If the AAA server is configured to return a network access policy, it will return the policy associated with the user or their corresponding group. The authenticator will apply the network policy to the user's connection, allowing traffic to flow according to the policy. The policy may include traffic engineering values, VLAN information for user connection, and IP address information.

The authenticator can be configured with default access policies to offer restricted connectivity for client devices that do not have supplicant support. This allows unauthenticated users to have limited network access, but they will be required to provide credentials in some other fashion if access to restricted resources is needed. Default policy provision for IP phones, for instance, may be required, as IP phones do not yet include supplicant capability.


Web Links