scope:

IEEE 802® Local Area Networks (or LANs; see 3.4 in IEEE Std 802.1D™) are often deployed in environments that permit unauthorized devices to be physically attached to the LAN infrastructure, or permit unauthorized users to attempt to access the LAN through equipment already attached. Examples of such environments include corporate LANs that provide LAN connectivity in areas of a building that are accessible to the general public, and LANs that are deployed by one organization in order to offer connectivity services to other organizations (for example, as may occur in a business park or a serviced office building). In such environments, it is desirable to restrict access to the services offered by the LAN to those users and devices that are permitted to make use of those services.

Port-based network access control makes use of the physical access characteristics of IEEE 802 LAN infrastructures in order to provide a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics, and of preventing access to that port in cases in which the authentication and authorization process fails. A port in this context is a single point of attachment to the LAN infrastructure. Examples of ports in which the use of  authentication can be desirable include the Ports of Media Access Control (MAC) Bridges (as specified in IEEE Std 802.1D), the ports used to attach servers or routers to the LAN infrastructure, and associations between stations and access points in IEEE 802.11™ Wireless LANs.

Purpose

For the purpose of providing compatible authentication and authorization mechanisms for devices interconnected by IEEE 802 LANs, this standard specifies a general method for the provision of port-based network access control. To this end, it

a) Describes the architectural framework within which the authentication, and consequent actions, take place

b) Defines the principles of operation of the access control mechanisms

c) Defines the different levels of access control that are supported, and the behavior of the port with respect to the transmission and reception of frames at each level of access control

d) Establishes the requirements for a protocol between the device that requires the authentication to take place (the Authenticator; see 3.1.1) and the device that is attached to the Authenticator's port (the Supplicant; see 3.1.12)

e) Establishes the requirements for a protocol between the Authenticator and an Authentication Server (see 3.1.4)

f) Specifies mechanisms and procedures that support network access control through the use of authentication and authorization protocols

g) Specifies the encoding of the Protocol Data Units (PDUs) used in authentication and authorization protocol exchanges

h) Establishes the requirements for management of port-based access control, identifying the managed objects and defining the management operations

i) Specifies how the management operations are made available to a remote manager using the protocol and architectural description provided by the Simple Network Management Protocol (SNMP) (IETF RFC 3411)

j) Specifies the requirements to be satisfied by equipment claiming conformance to this standard