IEEE HomeSearch IEEE ShopWeb Account Contact IEEE IEEE
MembershipPublicationsServicesStandardsConferencesCareers/Jobs
IEEE-SA IEEE-SA Member Area Search our standards database for Abstract, Sponsor, Status, Contact,Ordering and Historical information. IEEE-SA Standards Association
Products & ServicesIEEE-SA MembershipStandards DevelopmentNews & InformationnavFillerHOMEHOME Icon

IEEE Std 802.1X-2001 Port-Based Network Access Control -Description

Abstract: Port-based network access control makes use of the physical access characteristics of IEEE 802® Local Area Networks (LAN) infrastructures in order to provide a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics, and of preventing access to that port in cases in which the authentication and authorization process fails.

Keywords: authentication, authorization, controlled Port, Local Area Networks, Port Access Control, uncontrolled Port

Content +

  • 1. Overview
    • 1.1 Scope
    • 1.2 Purpose
  • 2. References
  • 3. Definitions
    • 3.1 Definitions
  • 4. Acronyms and abbreviations
  • 5. Conformance
    • 5.1 Static conformance requirements
    • 5.2 Options
  • 6. Principles of operation
    • 6.1 Systems, Ports, and system roles
    • 6.2 Port access entity
    • 6.3 Controlled and uncontrolled access
    • 6.4 Unidirectional and bidirectional control
    • 6.5 Use of Port Access Control with IEEE Std 802.3, 2000 Edition
  • 7. EAP encapsulation over LANs (EAPOL)
    • 7.1 Transmission and representation of octets
    • 7.2 EAPOL frame format for 802.3/Ethernet
    • 7.3 EAPOL frame format for Token Ring/FDDI
    • 7.4 Tagging EAPOL frames
    • 7.5 EAPOL PDU field and parameter definitions
      • 7.5.1 PAE Ethernet type
      • 7.5.2 SNAP-encoded Ethernet type
      • 7.5.3 Protocol version
      • 7.5.4 Packet type
      • 7.5.5 Packet Body length
      • 7.5.6 Packet Body
      • 7.5.7 Validation of received EAPOL frames and EAPOL protocol version handling
    • 7.6 Key Descriptor format
      • 7.6.1 Descriptor type
      • 7.6.2 Key length
      • 7.6.3 Replay counter
      • 7.6.4 Key IV
      • 7.6.5 Key index
      • 7.6.6 Key signature
      • 7.6.7 Key
      • 7.6.8 RC4 Key Descriptor
    • 7.7 EAP packet format—informative
      • 7.7.1 Code
      • 7.7.2 Identifier
      • 7.7.3 Length
      • 7.7.4 Data
    • 7.8 EAPOL addressing
    • 7.9 Use of EAPOL in shared media LANs
  • 8. Port Access Control
    • 8.1 Purpose
    • 8.2 Scope
    • 8.3 Overview of Port Access Entity operation
      • 8.3.1 Authenticator role
      • 8.3.2 Supplicant role
      • 8.3.3 Port access restrictions
      • 8.3.4 Logoff mechanisms
    • 8.4 Protocol operation
      • 8.4.1 Overview
      • 8.4.2 Authentication initiation
      • 8.4.3 EAPOL-Logoff
      • 8.4.4 Timing out authorization state information
      • 8.4.5 Retransmission
      • 8.4.6 Migration considerations
      • 8.4.7 Relaying EAP frames
      • 8.4.8 Example EAP exchanges
      • 8.4.9 Transmission of key information
    • 8.5 EAPOL state machines
      • 8.5.1 Notational conventions used in state diagrams
      • 8.5.2 Timers and global variables used in the definition of the state machines
      • 8.5.3 Port Timers state machine
      • 8.5.4 Authenticator PAE state machine
      • 8.5.5 Authenticatior Key Transmit state machine
      • 8.5.6 Supplicant Key Transmit state machine
      • 8.5.7 Reauthentication Timer state machine
      • 8.5.8 Backend Authentication state machine
      • 8.5.9 Controlled Directions state machine
      • 8.5.10 Supplicant PAE state machine
      • 8.5.11 Key Receive state machine
  • 9. Management of Port Access Control
    • 9.1 Management functions
      • 9.1.1 Configuration Management
      • 9.1.2 Fault Management
      • 9.1.3 Performance Management
      • 9.1.4 Security Management
      • 9.1.5 Accounting Management
    • 9.2 Managed objects
    • 9.3 Data types
    • 9.4 Authenticator PAE managed objects
      • 9.4.1 Authenticator Configuration
      • 9.4.2 Authenticator Statistics
      • 9.4.3 Authenticator Diagnostics
      • 9.4.4 Authenticator Session Statistics
    • 9.5 Supplicant PAE managed objects
      • 9.5.1 Supplicant Configuration
      • 9.5.2 Supplicant Statistics
    • 9.6 System managed objects
      • 9.6.1 System Configuration
  • 10. Management protocol
    • 10.1 Introduction
    • 10.2 The SNMP Management Framework
    • 10.3 Security considerations
    • 10.4 Structure of the MIB
      • 10.4.1 Relationship to the managed objects defined in Clause
      • 10.4.2 The PAE System Group
      • 10.4.3 The PAE Authenticator Group
      • 10.4.4 The PAE Supplicant Group
    • 10.5 Relationship to other MIBs
      • 10.5.1 Relationship to the Interfaces MIB
    • 10.6 Definitions for Port Access Control MIB
  • Annex A PICS Proforma
    • A.1 Introduction
    • A.2 Abbreviations and special symbols
      • A.2.1 Status symbols
      • A.2.2 General abbreviations
    • A.3 Instructions for completing the PICS proforma
      • A.3.1 General structure of the PICS proforma
      • A.3.2 Additional information
      • A.3.3 Exception information
      • A.3.4 Conditional status
    • A.4 PICS proforma for IEEE 802.1X
      • A.4.1 Implementation identification
      • A.4.2 Protocol summary, IEEE 802.1X
    • A.5 Major capabilities and options
    • A.6 EAPOL frame formats
    • A.7 PAE support
  • Annex B Scenarios for the use of Port-Based Network Access Control
    • B.1 Rationale for unidirectional control functionality
      • B.1.1 Remote wakeup
      • B.1.2 Peer-to-peer wakeup
      • B.1.3 Remote control
      • B.1.4 Alerting
    • B.2 Use of 802.1X in point-to-point and shared media LANs
  • Annex C Design considerations and background material for Port-Based Network Access Control
    • C.1 Design considerations
      • C.1.1 Edge authentication in a Bridged LAN
      • C.1.2 Use with 802.3ad Link Aggregation
    • C.2 Additional services
      • C.2.1 Manageability of end stations
      • C.2.2 Accounting and policies
      • C.2.3 End-station identity for access
      • C.2.4 VLAN enhancements
    • C.3 Security considerations
      • C.3.1 Piggybacking
      • C.3.2 Snooping
      • C.3.3 Crosstalk
      • C.3.4 Rogue Bridge
      • C.3.5 Bit flipping
      • C.3.6 Negotiation attacks
  • Annex D IEEE 802.1X RADIUS Usage Guidelines
    • D.1 Introduction
    • D.2 RADIUS accounting attributes
      • D.2.1 Acct-Terminate-Cause
      • D.2.2 Acct-Multi-Session-Id
      • D.2.3 Acct-Link-Count
    • D.3 RADIUS authentication
      • D.3.1 User-Name
      • D.3.2 User-Password, CHAP-Password, CHAP-Challenge
      • D.3.3 NAS-IP-Address
      • D.3.4 NAS-Port
      • D.3.5 Service-Type
      • D.3.6 Framed-Protocol
      • D.3.7 Framed-IP-Address, Framed-IP-Netmask
      • D.3.8 Framed-Routing
      • D.3.9 Filter-ID
      • D.3.10 Framed-MTU
      • D.3.11 Framed-Compression
      • D.3.12 Reply-Message
      • D.3.13 Callback-Number, Callback-ID
      • D.3.14 Framed-Route
      • D.3.15 State, Class, Vendor-Specific, Proxy-State
      • D.3.16 Session-Timeout
      • D.3.17 Idle-Timeout
      • D.3.18 Termination-Action
      • D.3.19 Called-Station-Id
      • D.3.20 Calling-Station-Id
      • D.3.21 NAS-Identifier
      • D.3.22 NAS-Port-Type
      • D.3.23 Port-Limit
      • D.3.24 Password-Retry
      • D.3.25 Connect-Info
      • D.3.26 EAP-Message
      • D.3.27 Message-Authenticator
      • D.3.28 NAS-Port-Id
      • D.3.29 Framed-Pool
      • D.3.30 Tunnel attributes
    • D.4 Security considerations
  • Annex E Bibliography

links: [Standard Status] - [Purchase] - [PDF*] - [LAN/MAN (802) Collection - Description]

available for Standards Online LAN/MAN (802) Collection subscribers only
spacer

Copyright ©2004 IEEE-SA
Contact IEEE-SA
(m.v.rodriguez@ieee.org)
URL: http://standards.ieee.org/reading/ieee/std_public/description/lanman/802.1x-2001_desc.html

 spacer