IEEE Std 802.1X-2010 IEEE STANDARD FOR LOCAL AND METROPOLITAN AREA NETWORKS
2 Copyright © 2010 IEEE. All rights reserved.
1.3 Introduction
The stations attached to an IEEE 802 LAN transmit and receive data frames using the service provided by
the IEEE 802 LAN MAC at a service access point, often referred to as a port, within each end station or
bridge. Port-based network access control specifies a common architecture comprising cooperative
functional elements and protocols that
a) Use the service provided by the LAN MAC, at a common service access point, to support a
Controlled Port that provides secure access-controlled communication and an Uncontrolled Port that
supports protocols that initiate the secure communication or do not require protection.
b) Support mutual authentication between a Port Access Entity (PAE) associated with a Controlled
Port, and a peer PAE associated with a peer port in a LAN attached station that desires to
communicate through the Controlled Port.
c) Secure the communication between the Controlled Port and the authenticated peer port, excluding
other devices attached to or eavesdropping on the LAN.
d) Provide the Controlled Port with attributes that specify access controls appropriate to the
authorization accorded to the peer station or its user.
This standard specifies the use of EAP, the Extensible Authentication Protocol (IETF RFC 3748 [B14]
1
), to
support authentication using a centrally administered Authentication Server and defines EAP encapsulation
over LANs (EAPOL, Clause 11) to convey the necessary exchanges between peer PAEs attached to a LAN.
Where communication over the LAN connecting a Controlled Port to its peer(s) is physically secure, no
additional protocol is required to protect their communication. This mode of operation is supported by this
standard. More commonly intrusion into the LAN communication is a principal security threat, and the
result of mutual authentication is not simply Controlled Port authorization to transmit and receive data, but
secure distribution of master keys and associated data to the communicating peers. Proof of possession of
master keys subsequently serves as proof of mutual authentication in key agreement protocols. These
protocols generate keys that are used to cryptographically protect data frames transmitted and received by
the Controlled Port. IEEE Std 802.11™ Wireless LANs specifies protocols that associate wireless stations
with access points and initiate mutual authentication using the procedures specified in this standard, the
subsequent generation of keys to protect data transfer, and the cryptographic methods that protect data
frames using those keys. IEEE Std 802.1AE MAC Security (MACsec) specifies cryptographic support of
the Controlled Port for other media access methods. Authenticated key agreement for MAC Security, as
specified in this standard, specifies the generation of the Secure Association Keys (SAKs) used by MACsec.
Use of the Controlled Port can be restricted by access controls bound to the results of authentication and
distributed via AAA protocols such as Diameter (IETF RFC 3588 [B13]) or RADIUS (IETF RFC 2865
[B8]). Attributes supporting certain port-based network access control scenarios are described in IETF RFC
3580, IETF RFC 4675, and IETF RFC 4849.
Clause 7 illustrates use of the above components and protocols in typical network access control scenarios.
1.4 Provisions of this standard
The scope (1.1) of this standard is addressed by detailed specification of the following:
a) The principles of port-based network access control operation, identifying the protocol components
that compose a port-based network access control implementation (Clause 6).
1
The numbers in brackets correspond to those of the bibliography in Annex B.