EX Series switches support endpoint access control through the 802.1X port-based network access control standard. When 802.1X authentication is enabled on a port, the switch (known as the authenticator) blocks all traffic to and from the end device (known as a supplicant) until the supplicant’s credentials are presented and matched on an authentication server. The authentication server is typically a RADIUS server or a policy manager, such as Aruba ClearPass Policy Manager, that acts as a RADIUS server. After the supplicant is authenticated, the switch opens the port to the supplicant.
Figure 1 illustrates the authentication process. The supplicant and authenticator communicate with each other by exchanging Extensible Authentication Protocol over LAN (EAPoL) packets carried by the 802.1X protocol. The authenticator and the RADIUS server communicate by exchanging EAP packets carried by the RADIUS protocol.
The 802.1X protocol supports a number of different versions of the EAP protocol. This configuration example uses PEAP. PEAP encapsulates EAP packets within an encrypted and authenticated Transport Layer Security (TLS) tunnel. Because it sets up the tunnel and is not directly involved with authenticating the endpoints, it is referred to as the outer authentication protocol. PEAP is usually paired with an inner authentication protocol that authenticates the endpoints. The most commonly used inner authentication protocol is Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2). MS-CHAPv2 allows authentication to databases that support the MS-CHAPv2 format, such as Microsoft Active Directory.
Not all endpoints use or support an 802.1X supplicant. Endpoints that don’t use 802.1X can be authenticated using MAC RADIUS authentication. With MAC RADIUS authentication, the switch passes the MAC address of the endpoint to the RADIUS server, which tries to match the MAC address against a list of MAC addresses in its database. If the endpoint’s MAC address matches an address in the list, the endpoint is authenticated.
You can configure both 802.1X and MAC RADIUS authentication methods on the interface. In this case, the switch first attempts to authenticate using 802.1X, and if that method fails, it attempts to authenticate the end device using MAC RADIUS authentication. If you know that only endpoints that are not 802.1X-enabled connect on the interface, you can eliminate the delay that occurs while the switch determines that the end device is not 802.1X-enabled by configuring the mac-radius restrict option. When this option is configured, the switch does not attempt to authenticate the endpoint through 802.1X authentication and instead immediately sends a request to the RADIUS server for authentication of the MAC address of the endpoint.
EX Series switches also support dynamic VLANs and firewall filters. As part of the authentication process, a RADIUS server can return IETF-defined attributes to the switch that provide VLAN and firewall filter information. You can, for example, configure a policy manager such as Aruba ClearPass to pass different RADIUS attributes back to the switch based on the policies you have defined for different users, endpoint types, authentication methods, and so forth. The switch dynamically changes the VLAN or firewall filter assigned to the port according to the RADIUS attributes it receives.