802.1x Network Access Control
The 7705 SAR supports network access control over client devices on an Ethernet network using the IEEE 802.1x standard. 802.1x is a standard for authenticating Ethernet devices before they can access the network. In the case of the 7705 SAR, authentication is performed using Extensible Authentication Protocol (EAP) over LAN (EAPOL).
802.1x provides protection against unauthorized access by forcing the device connected to the 7705 SAR to go through an authentication phase before it is able to send any non-EAP packets. Only EAPOL frames can be exchanged between the aggregation device (called the authenticator; for example, the 7705 SAR) and the customer device (called the supplicant) until authentication is successfully completed. The 7705 SAR enables the port after successful authentication. While the port is unauthenticated, the port will be ‟down” to all upper layer protocols or services.
A typical use for EAPOL would involve a 7705 SAR and some type of Ethernet device, such as a laptop, a set-top box, or a Node B. An authentication server would negotiate with the Ethernet device through the 7705 SAR (whose role is authenticator). For example, a technician using a laptop to gain access to his or her network at a cell site would have his or her laptop subject to the 802.1x access control, just as the Node B would. In every case, the Ethernet device connected to the 7705 SAR must negotiate for network access. Essentially, with EAPOL in use, any Ethernet device that connects to the 7705 SAR must negotiate for permission to send traffic through the 7705 SAR Ethernet port.
The 7705 SAR supports the following EAP methods: MD5, TLS, TTLS, and PEAPv0.
MAC authentication can be used to authenticate client devices that do not support EAP. For more information, see MAC Authentication.
This section describes the following:
802.1x Basics
The IEEE 802.1x standard defines three participants in an authentication conversation (see 802.1x Architecture):
the supplicant — the end-user device that requests access to the network
the authenticator — controls access to the network. Both the supplicant and the authenticator are referred to as Port Authentication Entities (PAEs).
the authentication server — performs the actual processing of the user information
The authentication exchange is carried out between the supplicant and the authentication server; the authenticator acts only as a bridge. The communication between the supplicant and the authenticator is done using EAPOL. The communication between the authenticator and the authentication server is done using the RADIUS protocol. The authenticator is therefore a RADIUS client, and the authentication server is a RADIUS server.
Authentication Scenario shows an example of the messages transmitted during an authenticator-initiated One Time Password (OTP) authentication process.
The authenticator initiates the procedure when the Ethernet port becomes operationally up by sending a special PDU called an EAP-Request/ID to the supplicant. The supplicant can also initiate the exchange by sending an EAPOL-Start PDU if it does not receive the EAP-Request/ID frame during boot-up. The supplicant responds to the EAP-Request/ID with an EAP-Response/ID frame containing its identity (typically username + password).
After receiving the EAP-Response/ID frame, the authenticator encapsulates the identity information into a RADIUS Access Request packet, and sends it off to the configured RADIUS server. The RADIUS Access Request packet contains the following attributes:
User-Name – the name of the supplicant to be authenticated
Calling-Station-Id – the MAC address of the supplicant
NAS-IP-Address – the IP address of the device acting as the authenticator
NAS-Port – the physical port number of the device acting as the authenticator
State – allows state information to be maintained between the authenticator and the RADIUS server
EAP-Message – used to encapsulate EAP packets for transmission from the authenticator to the RADIUS server
Message-Authenticator – used to authenticate and protect the integrity of Access Request messages in order to prevent spoofing attacks
The RADIUS server checks the supplied credentials using an authentication algorithm to verify the supplicant’s identity. If approved, the RADIUS server returns an Access Accept message to the authenticator. The authenticator notifies the supplicant with an EAP-Success message and puts the port in the authorized state.
If the supplicant sends an EAP-Logoff message, the authenticator puts the supplicant in an unauthorized state and continues searching for supplicants to authenticate.
After sending an EAP-Failure message, the authenticator puts the supplicant in an unauthorized state, waits for the number of seconds defined by the quiet-period timer, then continues searching for supplicants to authenticate.
The 7705 SAR conforms to the relevant sections of the 802.1X-2001 implementation.
802.1x Modes
The 7705 SAR supports port-based network access control for Ethernet ports only. Each Ethernet port can be configured to operate in one of three different modes, controlled by the port-control command:
auto — enables 802.1x authentication. The port starts in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. Both the authenticator and the host (supplicant) can initiate an authentication process as described earlier. The port will remain in the unauthorized state until the first supplicant is authenticated successfully. After this, traffic is allowed on the port for all connected hosts.
force-auth — disables 802.1x authentication and causes the port to transition to the authorized state without requiring any authentication exchange. The port transmits and receives normal traffic without requiring 802.1x-based host authentication. This is the default setting.
force-unauth — causes the port to remain in the unauthorized state, ignoring all attempts by the hosts to authenticate. The authenticator cannot provide authentication services to the host through the interface.
802.1x Timers
The 802.1x authentication process is controlled by a number of configurable timers. There are two separate sets, one for the EAPOL message exchange and one for the RADIUS message exchange. 802.1x EAPOL Timers and RADIUS Timers shows an example of the timers.
EAPOL timers:
transmit-period — indicates how many seconds after sending an EAP-Request/ID frame that the 7705 SAR will listen for a supplicant to authenticate (by sending a EAP-Response/ID frame). If the timer expires before a response is received, a new EAP-Request/ID frame will be sent and the timer restarted. The default value is 30 s. The range is 1 to 3600 s.
supplicant-timeout — indicates how many seconds to allow the 7705 SAR to complete the authentication process. This timer is started at the beginning of a new authentication process (transmission of first EAP-Request/ID frame and receipt of an EAP-Response/ID frame). If the timer expires, the 802.1x authentication session is considered to have failed and the 7705 SAR waits for the quiet-period timer to expire before processing another authentication request. The default value is 30 s. The range is 1 to 300 s.
quiet-period — indicates the number of seconds that the authenticator will not search for clients after an unsuccessful EAP authentication. The timer is started after sending an EAP-Failure message or after expiry of the supplicant timeout timer. The default value is 60 s. The range is 1 to 3600 s.
RADIUS timers:
max-auth-req — indicates the maximum number of times that the authenticator will send an authentication request to the RADIUS server before the process is considered as to have failed. The default value is 2. The range is 1 to 10.
server-timeout — indicates how many seconds the authenticator will wait for a RADIUS response message. If the timer expires, the access request message is sent again, up to the max-auth-req value, and the timer is reset. The default value is 30 s. The range is 1 to 300 s.
The authenticator can also be configured to periodically trigger the authentication process automatically. This is controlled by the enable reauthentication and reauthentication period parameters. Re-auth-period indicates the time in seconds (since the last time that the authorization state was confirmed) before a new authentication process is started. The range of re-auth-period is 1 to 9000 s (the default is 3600 s). The port stays in an authorized state during the reauthentication process.
802.1x Tunneling
The 7705 SAR supports tunneling of untagged 802.1x frames received on a port for both Epipe and VPLS services using either null or default SAPs (for example1/1/1:0 or 1/1/1:*) when the port-control command is set to force-auth.
When tunneling is enabled on a port, untagged 802.1x frames are treated like user frames and are switched into Epipe or VPLS services that have a corresponding null SAP or default SAP on that port. If a port has a default SAP, other non-default SAPs could also be on the port. When received on a spoke SDP or mesh SDP, untagged 802.1x frames are tunneled by default. Untagged 802.1x frames received on other service types, or on network ports, are dropped.
802.1x tunneling must be enabled consistently across all ports in the LAG where 802.1x frames are expected. This is not enforced by the system.
802.1x Configuration and Limitations
Configuration of 802.1x network access control on the authenticator consists of two parts:
generic parameters, which are configured under config>system>security>dot1x
See the Basic System Configuration Guide, ‟System Command Reference”.
port-specific parameters, which are configured under config>port>ethernet>dot1x
802.1x provides access to the port for any device, even if only a single client has been authenticated. Additionally, it can only be used to gain access to a predefined Service Access Point (SAP). It is not possible to dynamically select a service (such as a VPLS service) depending on the 802.1x authentication information.