Identity-Based Networking Services (IBNS)
802.1x applications with Cisco IOS Software

Cisco IOS Software support for 802.1x functionality can be leveraged to improve security on telecommuter connections, where remote workers have single or multiple computers in the home, and the user needs to prevent their spouse or children from gaining access to the corporate network. Through the application of default user policy, the spouse and children will have access to the public internet, but not the business network.

Extranet VPN offers another application for 802.1x access control, in which users at partner facilities are not allowed to access corporate resources until their controlled credentials are provided, ensuring that unauthorized users cannot access the network and that traffic from network attacks does not cross into the partner's network.

802.1x technology can be leveraged inside the enterprise to ensure that only permitted users are allowed access to network connectivity resources. This capability could be integrated with other workstation software components to ensure that users' computers have all required software updates, such as operating system service packs or antivirus software signature files. This prevents users that represent a security risk from accessing restricted network resources.

802.1x in Cisco IOS Increases Network Security and Reliability
802.1x makes unauthorized access to protected resources more difficult through the requirement of valid access credentials. By deploying 802.1x, administrators effectively eliminate the possibility of users deploying unauthorized wireless access points, resolving one of the biggest issues of easy-to-deploy wireless network equipment.

Several components of 802.1x support in Cisco IOS Software offer capability for increased security on access router platforms:

With 802.1x port-based authentication, the devices in the network have specific roles as shown in Figure .

  • Client – the device, such as a workstation, that requests access to the LAN and switch services and responds to the requests from the switch. The workstation must be running 802.1x-compliant client.
  • Authentication server – performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client. In this release, the RADIUS security system with EAP extensions is the only supported authentication server. It is available in Cisco Secure ACS version 3.0 and higher. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
  • Switch – controls the physical access to the network based on the authentication status of the client. The switch can be a Catalyst 3550 switch, a Catalyst 2950 switch, or wireless access point. The switch acts as an intermediary between the client and the authentication server, requesting identity information from the client, verifying that information with the authentication server, and relaying a response to the client. The switch includes the RADIUS client, which is responsible for encapsulating and decapsulating the EAP frames and interacting with the authentication server.

When the switch receives EAP over LAN (EAPOL) frames and relays them to the authentication server, the Ethernet header is stripped and the remaining EAP frame is re-encapsulated in the RADIUS format. The EAP frames are not modified or examined during encapsulation, and the authentication server must support EAP within the native frame format. When the switch receives frames from the authentication server, the server's frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the client.