Demystifying 802.1x 802.1x is a public standard that defines port-based user authentication. 802.1x is also a mechanism for user identity and authentication over both wired and wireless network infrastructures. 802.1x is considered by many to be fairly complex, with several Extensible Authorization Protocol (EAP) types that define how authentication is implemented on the network. This chapter attempts to demystify 802.1x, provide an overview of Cisco Identity- Based Networking Services (IBNS) and machine authentication, and discuss how 802.1x can complement Network Admission Control (NAC). In this chapter, you also learn the basics of some of the most popular EAP types and how 802.1x can participate in an EzVPN network for telecommuting and remote branch offices. Fundamentals of 802.1x The IEEE 802.1x standard is designed to provide port-based user authentication onto a network. Prior to the 802.1x standard, many mechanisms existed to determine if a user was authorized to join the network. However, these mechanisms were often proprietary and typically were often independent of the port or entrance point in to the network. The ability to define port or link-layer authentication to the network allows the ability to assign a user or group of users network access policy attributes including virtual LAN (VLAN) and access control lists (ACLs) when the user authenticates and logs on to the network. IEEE 802.1x provides a standard mechanism for port or link-level user authentication and works in concert with traditional port-level security. An example of traditional port-level security is the ability to specify what MAC addresses, or layer 2 addresses, are allowed through a particular Catalyst LAN switch port. In addition to user-based authentication, IEEE 802.1x can also support device-based authentication to authenticate a device name to a certificate authority or to a Windows Active Directory system prior to user authentication. The IEEE 802.1x standard was designed to provide an open, secure, and scalable mechanism for port-based or link-layer user authentication.
