|
|
 |
| X-Calibur |
| 802.1X Port Security |
|
X-Calibur
is an embedded and highly interoperable
implementation of the IEEE 802.1X protocol which provides
secure and flexible authentication in wired and wireless
switches. It adds access authentication services to a
supplicant or an authenticator in any scenario where one
can abstract out the notion of a “network access port”,
such as authenticated Ethernet networks and wireless (WLAN)
networks. It includes both an authenticator and
supplication Port Access Entity (PAE) and is validated for
standalone use and for use with Wired Equivalence Privacy
(WEP) and Wireless Protected Access (WPA) mechanisms in
WiFi® networks. X-Calibur's small footprint and extensive
support for various authentication mechanisms are ideally
suited for use in enterprise and infrastructure oriented
wired and wireless switches, gateways and access points.
|
|
|
|
|
|
|
|
|
|
|
|
|
LAN Access Authorization |
|
While the concept of access authorization
to a network is important for wired networks such as Ethernet
LANs, it is even more significant in wireless local networks.
These networks present a unique set of issues, because the only
restriction to access them is radio signal strength. There is no
wiring to define membership in a network, and no physical method
to restrict a system in radio range from becoming part of a
wireless network. X-Calibur’s PNAC implementation, based on the
IEEE 802.1X standard, authenticates devices and users connected
to a LAN on a per-port basis, so that access is restricted to
authorized entities. |
 |
|
 |
|
|
|
IEEE 802.1X |
|
X-Calibur’s 802.1X framework is based on
the IETF Extensible Authentication Protocol over LAN (EAPoL)
messages. 802.1X defines an authentication dialog between the
system needing network services and the network. This involves
establishing identity in order to gain authorized access by
binding a name to something known, such as a MAC address, and
then using that name in all future interactions. 802.1X requires
entities to play three roles in the authentication process: the
device seeking network access i.e. the client to be
authenticated ("Supplicant"), the server performing the
authentication ("Authentication Server" or "AS"), and the device
responsible for granting access based on authorization from the
AS ("Authenticator"). The Supplicant and Authenticator
coordinate with each other by using controlling logic called the
Port Access Entity (PAE). |
|
|
|
 |
|
|
|
X-Calibur implements the 802.1X PAEs for
Supplicants and Authenticators, allowing seamless integration of
this functionality in embedded devices, and enabling
communications to any standard AS in multi-platform networks. X-Calibur
defines two logical ports of access between the Supplicant and
the Authenticator: controlled and uncontrolled. A controlled
port only accepts packets from authenticated nodes, whereas an
uncontrolled port accepts all packets. When in an unauthorized
state, the Authenticator PAE filters out all traffic from the
Supplicant to controlled ports. The Authenticator PAE
communicates with the Supplicant PAE via EAPoL protocol data
units (PDUs) allowed to go through the uncontrolled port in
order for the authentication process to complete. Once
authentication is successful, the controlled port is enabled and
the Supplicant is granted access. |
|
|
|
Extensible Authentication |
|
While 802.1X provides for an interoperable
authentication PDU transport, it does not dictate or provide the
authentication mechanism. X-Calibur allows the use of a number
of EAPoL based authentication protocols such as passwords, EAP-TLS
(EAP over Transport Layer Security), EAP-TTLS (EAP over Tunneled
TLS), EAP-Kerberos, PEAP (Protected EAP), one-time passwords,
etc. These protocols can be deployed over X-Calibur using
built-in APIs that allow the Supplicant or Authenticator to
easily implement EAPoL interfaces to standard servers (e.g.
RADIUS Authentication Servers) for packaging EAP messages in
link-layer frames. |
|
|
|
802.11 Companion |
|
The WPA industry standard and the upcoming
802.11i standards specify the use of 802.1X for station
authentication. In WLAN infrastructure mode, X-Calibur can
provide the Supplicant PAE functionality for stations as well as
an Authenticator PAE implementation for access points.
Authentication is typically achieved by identifying a station by
its MAC address, and determining its level of authorization in
the AS. X-Calibur APIs can be used to act as an EAP proxy
between the Supplicant and AS, and pass-through EAPoL frames
which a RADIUS server will interpret as EAP message attributes.
The AS then provides the authentication state of the supplicant
to the authenticator via the secure RADIUS channel between the
two, and also provides for dynamic re-keying transparent to the
end-user. Other EAP mechanism implementations are also possible
using the same APIs. |
|
|
|
Flexible Framework |
|
The X-Calibur framework contains APIs and
abstractions to integrate the client or the server of any EAP
based authentication protocol to the Supplicant or Authenticator
module respectively. It also includes flexible hooks to
configure the operational parameters of the Supplicant and
Authenticator. Management capabilities include the ability to
maintain and retrieve the Authenticator statistics through a MIB
interface, and to override the protocol by statically
configuring the access control of an authenticator port. X-Calibur’s
802.1X implementation also supports the ability to transmit key
information from the Authenticator to/from the Supplicant once
authentication is successful, if the server supports it.
Reference implementations for various EAP types is included
including EAP-TLS, PEAP and EAP-TTLS. |
|
|
| |
|
|
|
