Port Authentication using 802.1X
IEEE 802.1X is an IEEE Standard for Port-based Network Access Control (PNAC).
It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.
802.1 X authentication involves three parties: a supplicant, an authenticator, and an authentication server.
The supplicant, a client that provides credentials to the authenticator, is a client device that wishes to attach to the LAN/WAN. The authenticator is a network device, such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP (Extensible Authentication Protocol) protocols. 802.1X uses EAP for message exchange during the authentication process. With EAP, an arbitrary authentication method, such as certificates, smart cards, or credentials, is used.
The most common EAP methods are EAP-TLS, EAP-TTLS and EAP-PEAP authentication.
- EAP-TLS is an IETF open standard, and is well-supported among wireless vendors. It offers a good deal of security. It uses PKI to secure communication to the RADIUS authentication server which provides very good security.
- EAP-TTLS is widely supported across platforms, and offers good security, using PKI certificates only on the authentication server, with tunneled EAP or PAP/CHAP/ MSCHAP/ MSCHAPV2 authentication.
- EAP-PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, with tunneled EAP authentication.
With 802.1X port-based authentication, the supplicant provides credentials, such as user name/password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.
The Media Gateway supports 802.1x over wired LAN with EAP-TLS as the supported authentication method. The switch port to which the Media Gateway Unit is connected must be configured for 802.1X authentication for multiple hosts. That is, you must be able to connect multiple hosts to this single port for 802.1X authentication. When one client (MGU2 eth0 - signaling) is authenticated, all the other clients (MGU2 eth1 -media) are also granted access to the LAN.
The picture below shows port access when the port is unauthorized (dashed line) and when the port is authorized.
