Barracuda Networks VERSION SP4 Chapter 14 802.1X Technical Guideline

183 802.1X – Technical Guideline

Chapter 14 802.1X – Technical Guideline

Barracuda NG Network Access Client features the IEEE 802.1X standard for port-based network

access control. The IEEE 802.1X standard defines a client-server-based access control and

authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly

accessible ports unless they are properly authenticated. Every client connected to a switch port must

be authenticated by the authentication server before having access to any services provided by the

switch or LAN. Until the client is authenticated, the only traffic allowed through the port the client is

connected to, is the Extensible Authentication Protocol over LAN (EAPOL), the Cisco Discovery

Protocol (CDP) and the Spanning Tree Protocol (STP).

Other than common implementations of the 802.1X standard, the client computer's health state is the

criterion for access control. The health state of a client computer is evaluated by the Barracuda NG

Access Control Server, accessible from within the initial assigned guest VLAN after the first

authentication using default credentials succeeded. Once the client computer evaluated its health

state, it will start the authentication using a unique identifier as username and a session id as

password, received by the Access Control Server based on his health evaluation result. The

authentication server will assign the client computer the VLAN configured for the result of the client

computer's health evaluation result.

When the user logs off or shuts down the operating system, the Client service will notify the

wpa-supplicant to send the logoff command so the switch disabling the line protocol on the port the

client computer is connected to. The logoff, along with the logon and reassociate command can also

be executed by the user manually using the Barracuda NG Access Monitor or the command-line

interface.

The four key entities in the network environment using port security are:

• Client computer

with an installed Barracuda NG SSL VPN and NAC Client utilizing the wpa-supplicant, which

will request access to the LAN and will respond to identity requests by the switch. The

wpa-supplicant will be started and controlled by the Client Service for 802.1X authentication,

where as the Barracuda NG Access Monitor service is responsible for the evaluation of the

client computer's health state.

• Switch

Is responsible for controlling the physical access to the LAN based on the authentication

status of the client. The switch acts as proxy between the client computer and the authenti-

cation server.

• Authentication Server