Perle Systems Technical Notes

Port Based Network Access Control

Using IEEE 802.1x and Port Security

The Extensible Authentication Protocol (EAP) was designed for enterprise-grade environments where administrators want to do more for security than simply employing usernames and passwords for access. EAP sits inside of PPP's authentication protocol and provides a generalized framework for different authentication methods. With a standardized EAP, interoperability and compatibility of authentication methods is simpler. IEEE 802.1X is the standard for passing EAP over a wired or wireless LAN. The encapsulation of EAP over IEEE 802.1x is known as "EAP over LAN" or EAPOL.

802.1x uses three terms that you need to know:

Supplicant: The user or client device that wants to be authenticated and given access to the network.
Authentication server: The actual server doing the authentication, typically a RADIUS server.
Authenticator: The device in between the Supplicant and Authentication Server.

Using Perle as an Authenticator

IEEE 802.1x provides an authentication mechanism to devices wishing to attach to access ports.

Used in conjunction with a compliant RADIUS authentication server, a Perle device, in its role as an authenticator, will only allow access to its ports (and in turn the network), once the 802.1x device (supplicant) has successfully authenticated with the RADIUS server. Supplicant functionality is available on common workstation operating systems such as Windows.

In cases where a non-802.1x complaint device (such as Industrial equipment) needs to be connected to an 802.1x compliant switch, the MAC Authentication Bypass (MAB) feature available on Perle devices can be used. When enabled, the specific MAC address of the device is used as the ID and password. This information, having been pre-configured in the RADIUS authentication server, will enable secure access to the switch port.

Using Perle as a Supplicant

802.1x can extend beyond devices accessing an edge switch. You can configure Perle to act as a supplicant to another switch. This can be used when a Perle device is outside a wiring closet and is connected to an upstream switch through a trunk port. Perle configured with the 802.1x switch supplicant feature authenticates with the upstream switch (acting as the authenticator) for secure connectivity.

Perle Port Security

The port security feature provides the ability to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port (Access or Trunk) and will take specific actions when violations occur such as sending an SNMP trap message to the NMS and shutting down the port.

Perle Products that support IEEE 802.1x and Port Security

LTE Routers

Secure Enterprise-Class Edge Routers & Gateways with Dual SIM Fail-over. 600Mbps downlink and 150Mbps uplink.

IOLAN SCR & SCG Console Servers

Secure data center management of any device with a USB, RS232/422/485, or Ethernet console management port. Integrated firewall, two-factor authentication, Zero Touch Provisioning (ZTP), advanced failover to multiple networks, and full routing capabilities with support for RIP, OSPF, and BGP. Optionally integrated LTE Cellular, WiFi or V.92 modem for multiple alternate access methods when the network is down.

Industrial Switches

Compact Ethernet Switches designed for harsh temperature, vibration and shock environments

Image by Arran Cudbard-Bell Arr2036 (Own work)