Perle Systems Technical Notes
Port Based Network Access Control
Using IEEE 802.1x and Port Security
The Extensible Authentication Protocol (EAP) was designed for enterprise-grade environments where administrators want to do more for security than simply employing usernames and passwords for access. EAP sits inside of PPP's authentication protocol and provides a generalized framework for different authentication methods. With a standardized EAP, interoperability and compatibility of authentication methods is simpler. IEEE 802.1X is the standard for passing EAP over a wired or wireless LAN. The encapsulation of EAP over IEEE 802.1x is known as "EAP over LAN" or EAPOL.
802.1x uses three terms that you need to know:
- Supplicant: The user or client device that wants to be authenticated and given access to the network.
- Authentication server: The actual server doing the authentication, typically a RADIUS server.
- Authenticator: The device in between the Supplicant and Authentication Server.
Perle Industrial Managed Switches with the PRO software feature set, can operate as an IEEE 802.1x Authenticator or Supplicant.
Using Perle Managed Ethernet Switches as a Authenticator
IEEE 802.1x provides an authentication mechanism to devices wishing to attach to one of the Ethernet Switch access ports.
Used in conjunction with a compliant RADIUS authentication server, the Ethernet switch, in its role as an authenticator, will only allow access to its ports ( and in turn the network ), once the 802.1x device ( supplicant ) has successfully authenticated with the RADIUS server. Supplicant functionality is available on common workstation operating systems such as Windows.
In cases where a non-802.1x complaint device ( such as Industrial equipment ) needs to be connected to an 802.1x compliant switch, the MAC Authentication Bypass ( MAB ) feature available on Perle managed Ethernet switches can be used. When enabled, the specific MAC address of the device is used as the ID and password. This information, having been pre-configured in the RADIUS authentication server, will enable secure access to the switch port.
Using Perle Managed Ethernet Switches as a Supplicant
802.1x can extend beyond devices accessing an edge switch. You can configure a switch to act as a supplicant to another switch by configuring the edge switch as a supplicant. This can be used when a switch is outside a wiring closet and is connected to an upstream switch through a trunk port. A switch configured with the 802.1x switch supplicant feature authenticates with the upstream switch ( acting as the authenticator ) for secure connectivity.
Perle Managed Ethernet Switch Port Security
The port security feature provides the ability to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port ( Access or Trunk ) and will take specific actions when violations occur such as sending an SNMP trap message to the NMS and shutting down the port.
Port Security and IEEE802.1x is supported in Perle Industrial Managed Switches with the PRO software feature set.
Image by Arran Cudbard-Bell Arr2036 (Own work)