Avaya P333R-LB Port Based Network Access Control (PBNAC)

Chapter 11 Avaya P330 Layer 2 Features

Avaya P333R-LB User’s Guide 67

Port Based Network Access Control (PBNAC)

Port Based Network Access Control (IEEE 802.1X) is a method for performing

authentication to obtain access to IEEE 802 LANs. The protocol defines an

interaction between 3 entitites:

• Supplicant — an entity at one end of a point-to-point LAN segment that is being

authenticated by an authenticator attached to the other end of that link.

• Authenticator — an entity at one end of a point-to-point LAN segment that

facilitates authentication of the entity attached to the other end of that link; in

this case, the P330.

• Authentication (RADIUS) Server — an entity that provides an authentication

service to an authenticator. This service determines, from the credentials

provided by the supplicant, whether the supplicant is authorized to access the

services provided by the authenticator.

The process begins with the supplicant trying to access a certain restricted network

resource, and upon successful authentication by the authentication server, the

supplicant is granted access to the network resources.

How "Port Based" Authentication Works

802.1X provides a means of authenticating and authorizing users attached to a LAN

port and of preventing access to that port in cases wher the authentication process

fails. The authentication procedure is port based, which means:

• access control is achieved by enforcing authetication on connected ports

• if an end-point station that connects to a port is not authorized, the port state is

set to "unauthorized" which closes the port to any traffic.

• As a result of an authentication attempt, the P330 port can be either in a

"blocked" or a "forwarding" state.

802.1X interacts with existing standards to perform its authentication operation.

Specifically, it makes use of Extensible Authentication Protocol (EAP) messages

encapsulated within Ethernet frames (EAPOL), and EAP over RADIUS for the

communication between the Authenticator and the Authentication Server.

PBNAC Implementation in the P330 Family

This section lists the conditions that govern the implementation of the 802.1X

standard in the P330 line:

• You can configure PBNAC on the 10/100 Mbps Ethernet ports only.

• PBNAC can work only if a RADIUS server is configured on the P330 and the

RADIUS server is carefully configured to support 802.1X.

• PBNAC and port/intermodule redundancy can co-exist on the same ports.

• PBNAC and LAGs can coexist on the same ports.

• PBNAC and Spanning Tree can be simultaneously active on a module.