Perle Systems Technical Notes
Port Based Network Access Control
Using IEEE 802.1x and Port Security
The Extensible Authentication Protocol (EAP) was designed for enterprise-grade environments where administrators want to do more for security than simply employing usernames and passwords for access. EAP sits inside of PPP's authentication protocol and provides a generalized framework for different authentication methods. With a standardized EAP, interoperability and compatibility of authentication methods is simpler. IEEE 802.1X is the standard for passing EAP over a wired or wireless LAN. The encapsulation of EAP over IEEE 802.1x is known as "EAP over LAN" or EAPOL.
802.1x uses three terms that you need to know:
- Supplicant: The user or client device that wants to be authenticated and given access to the network.
- Authentication server: The actual server doing the authentication, typically a RADIUS server.
- Authenticator: The device in between the Supplicant and Authentication Server.
Using Perle as an Authenticator
IEEE 802.1x provides an authentication mechanism to devices wishing to attach to access ports.
Used in conjunction with a compliant RADIUS authentication server, a Perle device, in its role as an authenticator, will only allow access to its ports (and in turn the network), once the 802.1x device (supplicant) has successfully authenticated with the RADIUS server. Supplicant functionality is available on common workstation operating systems such as Windows.
In cases where a non-802.1x complaint device (such as Industrial equipment) needs to be connected to an 802.1x compliant switch, the MAC Authentication Bypass (MAB) feature available on Perle devices can be used. When enabled, the specific MAC address of the device is used as the ID and password. This information, having been pre-configured in the RADIUS authentication server, will enable secure access to the switch port.
Using Perle as a Supplicant
802.1x can extend beyond devices accessing an edge switch. You can configure Perle to act as a supplicant to another switch. This can be used when a Perle device is outside a wiring closet and is connected to an upstream switch through a trunk port. Perle configured with the 802.1x switch supplicant feature authenticates with the upstream switch (acting as the authenticator) for secure connectivity.
Perle Port Security
The port security feature provides the ability to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port (Access or Trunk) and will take specific actions when violations occur such as sending an SNMP trap message to the NMS and shutting down the port.
Perle Products that support IEEE 802.1x and Port Security
Secure Enterprise-Class Edge Routers & Gateways with Dual SIM Fail-over. 600Mbps downlink and 150Mbps uplink.
IOLAN SCR Console Servers
Secure out-of-band data center management of any device with an RS232 RJ45 or Ethernet console management port.
Image by Arran Cudbard-Bell Arr2036 (Own work)