IEEE 802.1 Port-based Network Access Control Jeff Hayes Product - - PowerPoint PPT Presentation

ieee 802 1
SMART_READER_LITE
LIVE PREVIEW

IEEE 802.1 Port-based Network Access Control Jeff Hayes Product - - PowerPoint PPT Presentation

Dec 15, 2023 348 likes •483 views

IEEE 802.1 Port-based Network Access Control Jeff Hayes Product Manager - Xylan jeff.hayes@xylan.com 1 2 June 1999 - 802.1 - Coeur dAlene Network Access Control What? $XWKHQWLFDWHG $XWKHQWLFDWHG 8VHUV 8VHUV distributed

slide-1
SLIDE 1

2 June 1999 - 802.1 - Coeur d’Alene 1

IEEE 802.1

Port-based Network Access Control

Jeff Hayes Product Manager - Xylan jeff.hayes@xylan.com

slide-2
SLIDE 2

2 June 1999 - 802.1 - Coeur d’Alene 2

$XWKHQWLFDWLRQ $XWKHQWLFDWLRQ 6HUYHU 6HUYHU $XWKHQWLFDWHG $XWKHQWLFDWHG 8VHUV 8VHUV

Network Access Control

  • What?

– distributed security – authenticate users at the switch port – once authenticated,

  • perates at LAN speed

– leverage common authentication systems

  • RADIUS
  • DIAMETER
  • LDAP compliant

directory servers

  • NOS

switch

slide-3
SLIDE 3

2 June 1999 - 802.1 - Coeur d’Alene 3

Network Access Control

  • Why?

– Perimeter security

  • access control at the

edge

– Not all users created equal

  • trust all; really trust
  • nly a few

– Not all networks created equal

  • some require extra

access control measures

slide-4
SLIDE 4

2 June 1999 - 802.1 - Coeur d’Alene 4

Authentication Authentication Server Server Authenticated Authenticated Users Users

Network Access Control

  • Applications

– distributed user authentication

  • not device
  • edge access control

– user mobility with campus setting – leveraged by single sign-on systems

  • one ID/pswd, entered
  • ne-time

switch switch switch

slide-5
SLIDE 5

2 June 1999 - 802.1 - Coeur d’Alene 5

Network Access Control

  • Market Demand

– user authentication in enterprises

  • key departments (HR, Finance)
  • open computing environments (partners, visitors)

– network ingress security

  • access control distributed to the edge

– key verticals are ideal for switch access control

  • security conscience environments
  • mobile users
  • semi-public work environments
slide-6
SLIDE 6

2 June 1999 - 802.1 - Coeur d’Alene 6

  • ,QWHUQHW

6DWHOOLWH &DPSXV

&DPSXV %DFNERQH

$XWKHQWLFDWLRQ 6HUYHU

'HSDUWPHQWDO 6XEQHWV $FFHVV &RQWURO

Key Vertical: University

Goal – authenticated open Goal – authenticated open computing computing

  • Broad facilities

– central campus, satellites & dorms

  • Different user types

– students - dorms, classrooms & library – faculty - offices & classes – admin - offices

  • IP addressing - DHCP
  • Filter between private nets
slide-7
SLIDE 7

2 June 1999 - 802.1 - Coeur d’Alene 7 Patient Records & Accounting Research Hospital

Key Vertical: Medical

Goal – patient & research Goal – patient & research confidentiality confidentiality

  • Facilities

– in/out patient hospital – research labs

  • Users

– MDs, nurses, admins – research Phds & techs

  • Policy

– authenticate into key subnets – filter / firewall internal traffic

slide-8
SLIDE 8

2 June 1999 - 802.1 - Coeur d’Alene 8

ISP 1 ISP 2 ISP 3

  • DSL or Cable

Key Vertical: Carrier

Goal Goal – secure, multi-layer secure, multi-layer Internet access Internet access

  • users connect to network

– via DSL or cable

  • users authenticate at the

NSP’s POP

– RADIUS – multiple authorities – one user per switch port

  • access multiple out-

sourced services

– separate billing

slide-9
SLIDE 9

2 June 1999 - 802.1 - Coeur d’Alene 9

Key Administration Issues

  • Ethernet-only ingress; any egress interface

– No authentication needed for inter-switch ports

  • Configurable on a per port basis

– not all switch ports must be authenticated ports

  • Log-off, aging and inactivity timer options

– re-authenticate according to policy

  • Transparent to authentication server type

– authenticator can request more information before determining the mechanism – smart cards, Kerberos, PKI, 1-time pswd, etc.

slide-10
SLIDE 10

2 June 1999 - 802.1 - Coeur d’Alene 10

Key Administration Issues

  • Multiple VLAN membership options

– some want a MAC-based option = more control – authenticate into authorized VLAN = choice – client does DHCP after authentication

  • Mobility

– same look & feel regardless of campus location – mixed vendor enviro=common user experience – many users need both non-auth access and auth access, depending on local port

slide-11
SLIDE 11

2 June 1999 - 802.1 - Coeur d’Alene 11

Other possible considerations

  • Core spec for the authentication process
  • Section/Appendix for port-based

authentication

– all or nothing / open or closed

  • Section/Appendix for MAC-based

authentication

– VLAN membership control (IP unicast, IP multicast, IPX, AT, etc.)

slide-12
SLIDE 12

2 June 1999 - 802.1 - Coeur d’Alene 12

Summary

  • Xylan believes a standards-based switch

access authentication method is required

  • Key verticals markets have expressed a

definite need for this capability

– extra layer of security at the network edge

  • Although port based access may be easier to

implement, do not discount the control layer-2 mechanisms offer

  • Xylan will support the approved spec