Working with Security Configurations
802.1X Port Based Network Access Control Overview
14-114 Matrix E1 Series (1G58x-09 and 1H582-xx) Configuration Guide
14.4.2 802.1X Port Based Network Access Control OverviewWhen using the physical access characteristics of IEEE 802 LAN infrastructures, the 802.1X
standard provides a mechanism for administrators to securely authenticate and grant appropriate
access to end user devices directly attached to Matrix E1 device ports. When configured in
conjunction with NetSight Policy Manager and RADIUS server(s), Enterasys Networks’ Matrix E1
devices can dynamically administer user based policy that is specifically tailored to the end user’s
needs.
The device supports 802.1X security and authentication features to:
•Authenticate hosts that are connected to dedicated switch ports.
•Authenticate based on single-user hosts. (If a host is a time-shared Unix or VMS system,
successful authentication by any user will allow all users access to the network.)
•Allow users to authenticate themselves by logging in with user names and passwords, token
cards, or other high-level identification. Thus, a system manager does not need to spend hours
setting low-level MAC address filters on every edge switch to simulate user-level access
controls.
•Divide system functionality between supplicants (user machines), authenticators, and
authentication servers. Authenticators reside in edge switches. They shuffle messages and tell
the switch when to grant or deny access, but do not validate logins. User validation is the job of
authentication servers. This separation of functions allows network managers to put
authentication servers on central servers.
•Use EAPOL to communicate between the authenticator (switch) and the authentication server.
For more information on configuring EAPOL on the device, refer to Section 14.3.2.
14.4.3 MAC Authentication OverviewMAC authentication allows secure network access by validating the MAC addresses of authorized
user devices connected to MAC authentication-enabled ports. Network management statically
provisions MAC addresses in a central RADIUS server, which allows those pre-configured MAC
addresses network access the usual RADIUS validation process. This section describes how MAC
authentication and 802.1X cooperate to provide an integrated approach to authentication.