Configuring Port-Based Access Control (802.1X)
Terminology
EAP (Extensible Authentication Protocol): EAP enables network access that
supports multiple authentication methods.
EAPOL: Extensible Authentication Protocol Over LAN,
as defined in the
802.1X standard.
Friendly Client: A client that does not pose a security risk if given access to
the switch and your network.
MD5: An algorithm for calculating a unique digital signature over a stream of
bytes. It is used by CHAP to perform authentication without revealing the
shared secret (password).
PVID (Port VID): This is the VLAN ID for the untagged VLAN to which an
802.1X port belongs.
Static VLAN: A VLAN that has been configured as “permanent” on the switch
by using the CLI vlan < vid > command or the Menu interface.
Supplicant: The entity that must provide the proper credentials to the switch
before receiving access to the network. This is usually an end-user work-
station, but it can be a switch, router, or another device seeking network
services.
Tagged VLAN Membership: This type of VLAN membership allows a port to
be a member of multiple VLANs simultaneously. If a client connected to
the port has an operating system that supports 802.1q VLAN tagging, then
the client can access VLANs for which the port is a tagged member. If the
client does not support VLAN tagging, then it can access only a VLAN for
which the port is an untagged member. (A port can be an untagged
member of only one VLAN at a time.) 802.1X Open VLAN mode does not
affect a port’s tagged VLAN access unless the port is statically configured
as a member of a VLAN that is also configured as the Unauthorized-Client
or Authorized-Client VLAN. See also “Untagged VLAN Membership”.
Unauthorized-Client VLAN: A conventional, static VLAN previously config-
ured on the switch by the System Administrator. It is used to provide
access to a client prior to authentication. It should be set up to allow an
unauthenticated client to access only the initialization services necessary
to establish an authenticated connection, plus any other desirable
services whose use by an unauthenticated client poses no security threat
to your network. (Note that an unauthenticated client has access to all
network resources that have membership in the VLAN you designate as
the Unauthorized-Client VLAN.) A port configured to use a given Unau-
thorized-Client VLAN does not have to be statically configured as a
8-9
To Next Page
Loading...
Need help?
General