No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Basic Concepts of 802.1X Port-based Authentication

Basic Concepts of 802.1X Port-based Authentication

802.1X Port-based Authentication Architecture

As shown in Figure 19-1, the three major components of the 802.1x authentication system are the supplicant, authenticator, and authentication server.

  • The supplicant is a user terminal that requests access to a local area network (LAN), and is authenticated by an authenticator in the LAN. A user initiates 802.1X authentication by starting the supplicant software. The supplicant must support the Extensible Authentication Protocol over LAN (EAPOL).

  • The authenticator is a network device that controls supplicant access to the LAN. It is located between the supplicant and the authentication server. It provides a port for the supplicant to access the LAN and authenticates the connected supplicant through the interaction with the authentication server.

  • The authentication server undertakes authentication, authorization, and accounting for users. You are recommended to use a RADIUS server as the authentication server.

Figure 19-1 802.1X port-based authentication architecture

Access Authorization Mode

When deploying 802.1X port-based authentication, configure an access authorization mode on the NE40E to determine whether to authenticate users on a port before they can access network resources. The NE40E supports the following access authorization modes:

  • Automatic identification: The port is initially in the unauthorized state and allows only users' EAPOL packets to pass through. It does not allow users to access network resources. After the users pass 802.1X authentication, the port switches to the authorized state, and the users can access network resources.
  • Forcible authorization: The port remains in the authorized state and allows users to access network resources without being authenticated or authorized.
  • Forcible unauthorization: The port remains in the unauthorized state and prohibits users from accessing network resources. This mode applies to scenarios where all users connected to a port need to be disabled from accessing network resources due to security considerations.

Port Authorization State

The Port Access Entity (PAE) of the authenticator determines the authorized or unauthorized state of a controlled port according to the instruction (Accept or Reject) of the RADIUS server. As shown in Figure 19-1, the access rights of the controlled port depends on its authorization state.

  • Authorized: After a user or device passes the 802.1X authentication, the port to which the user or device is connected is in the authorized state. In the authorized state, other data of the user or device can also pass through the Ethernet interface. This mechanism improves network security by allowing only authorized users or devices to access the network.
  • Unauthorized: Before a user or device passes the 802.1X authentication, the port to which the user or device is connected is in the unauthorized state. Controlled ports in the unauthorized state will deny the user or device access. Before authentication is successful, only EAPOL packets are allowed to pass through.

Access Control Mode

The NE40E supports the following access control modes for 802.1X port-based authentication.

  • Port-based access control: After the first user is authenticated, subsequent users can pass the authentication or access the network without being authenticated. When the first user goes offline, other users are denied access to network resources. This authentication mode applies to group users.
  • MAC-based authentication: Every user accessing a port must be authenticated. If a user goes offline, other 802.1X authenticated users can still access the network.

    This authentication mode applies to scattered users.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 14121

Downloads: 34

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next