The IEEE 802.1x standard addresses the need to authenticate the user or client trying to connect to the particular network. Point-to-Point Protocol (PPP) can be used in a basic dial-up scenario, but it limits the authentication process to checking only user and password matching. The Extensible Authentication Protocol (EAP) was designed to provide transport for other authentication methods. EAP extends PPP as a framework for several different authentication methods, such as challenge-response tokens and PKI certificates.

IEEE 802.1X introduces three terms:

Supplicant

The user or device that wants to be authenticated and

 

connect to the network.

Authenticator

The device responsible for mediation between client

 

and authentication server. Typically this is a RAS

 

server for EAP-over-PPP, or a wireless access point or

 

switch for EAP-over-LAN.

Authentication server The server performing authentication, typically a RADIUS server.

IEEE 802.1x was introduced to enable users to use EAP in a consistent way, with either dial-up or LAN connection. It defines the way an EAP message is packaged in an Ethernet frame so there is no need for PPP-over-LAN overhead.

On the other hand, Cisco NAC is a posture-based Network Admission Control

solution that enables control of who connects to the network and whether the client workstation is healthy and complies with all required security policies.

The Cisco Layer 3 NAC solution implements proprietary extensions to EAP and uses User Datagram Protocol (UDP) as the transport for EAP (EAP-over-UDP, or EOU). In Cisco’s Layer 2 NAC offerings, EAP is transported over 802.1x.

Using Cisco terminology

The Cisco Trust Agent performs the role of the supplicant. It provides the authenticator, which is a NAC-enabled Cisco device, with the client’s posture statement. The communication is performed using the EAP-over-UDP or EAP-over-802.1X protocol. On the network device, the EAP header is repackaged into RADIUS and sent to the Cisco Secure ACS server (performing the role of an authentication server).

The main difference between IEEE 802.1x and the Cisco implementation lies in the authentication process:

￿With generic IEEE 802.1x, the EAP header carries only identity information, and authentication is performed using credentials provided by the supplicant.

Chapter 2. Architecting the solution

23

Page 40 Page 42
Page 41
Image 41
IBM Tivoli and Cisco manual Using Cisco terminology, Supplicant, Authenticator
Page 40 Page 42
Top Page Image Contents