Securing the LAN, Part 2

Last week we started talking about IEEE 802.1x, which defines a way for users to authenticate themselves to a network. This week, let's talk more about how the mechanism works.

The standard being drafted gets some help from the IETF's RFC 2284, which specifies Extensible Authentication Protocol (EAP), a general protocol for authentication which supports multiple authentication mechanisms. IEEE 802.1x specifies how EAP should be encapsulated in LAN frames.

Here's how IEEE 802.1x would be used. You can also look at this PDF file to get the story with some nice diagrams, put together by Hewlett-Packard's Paul Congdon:

grouper.ieee.org/groups/802/1/mirror/8021/docs2000/P8021XOverview.PDF

A user initiates the conversation by requesting a connection through a wired Ethernet port or a wireless Ethernet access point. The switch (or bridge or access point) then requests the identity of the user, who then responds. The switch then turns around and tells a RADIUS authentication server elsewhere on the network that the user is requesting access. The server asks for proof of identity from the switch, which gets the proof from the user and sends it back to the server. If the server likes what it sees, it tells the switch so, which in turn grants the user access to network services.

Is this something that you are considering using? Let me know at jcaruso@nww.com.

In addition to writing this newsletter, Jeff Caruso edits Network World's e-mail newsletters from his office on New York's Long Island. If you would like to make suggestions about newsletter format or content, or even just express your opinion on today's topic, you can reach Jeff at jcaruso@nww.com.

High Speed LANs archive
Past newsletters.

Cisco Web switches found to have security cracks
Network World, 02/12/01

Wireless LAN holes exposed
Network World, 02/12/01

Enterasys brings policy enforcement closer to users
Network World, 02/12/01