Adoption Standard – Active. Port-based network access control allows a network administrator to restrict the use of IEEE 802(R) LAN service access points (ports) to secure communication between authenticated and authorized devices. This standard specifies a common architecture, functional elements, and protocols that support mutual authentication between the clients of ports attached to the same LAN and that secure communication between the ports, including the media access method independent protocols that are used to discover and establish the security associations used by IEEE 802.1AE(TM) MAC Security.

PDF Catalog

PDF Pages	PDF Title
5	IEEE Std 802.1X-2010 Front cover
7	Title page
10	Introduction Notice to users Laws and regulations
11	Copyrights Updating of IEEE documents Errata Interpretations Patents
12	Contents
16	List of figures
18	List of tables
19	Important notice 1. Overview 1.1 Scope 1.2 Purpose
20	1.3 Introduction 1.4 Provisions of this standard
22	2. Normative references
24	3. Definitions
28	4. Acronyms and abbreviations
30	5. Conformance 5.1 Requirements terminology 5.2 Protocol Implementation Conformance Statement
31	5.3 Conformant systems and system components 5.4 PAE requirements
32	5.5 PAE options 5.6 Supplicant requirements 5.7 Supplicant options 5.7.1 Integration with IEEE Std 802.1AR 5.8 Authenticator requirements 5.9 Authenticator options
33	5.9.1 Integration with IEEE Std 802.1AR 5.10 MKA requirements 5.11 MKA options 5.11.1 Support for PSKs 5.11.2 Key Server support for Group CAs 5.11.3 CAK Cache
34	5.12 Virtual port requirements 5.13 Virtual port options 5.14 Announcement transmission requirements
35	5.15 Announcement transmission options 5.16 Announcement reception requirements 5.17 Announcement reception options 5.18 Requirements for SNMP access to the PAE MIB 5.19 Options for SNMP access to the PAE MIB 5.20 PAC requirements
36	5.21 System recommendations 5.22 Prohibitions
37	6. Principles of port-based network access control operation 6.1 Port-based network access control architecture
39	6.2 Key hierarchy
41	6.2.1 Key derivation function (KDF) 6.2.2 Using EAP for CAK key derivation
43	6.2.3 CAK caching and scope 6.2.4 Algorithm agility 6.3 Port Access Entity (PAE) 6.3.1 Authentication exchanges
44	6.3.2 Key agreement
45	6.3.3 Pre-shared keys 6.3.4 Interoperability and connectivity
46	6.3.5 Network announcements, identity, authentication requirements, and status 6.3.6 Multi-access LANs
47	6.4 Port Access Controller (PAC)
48	6.4.1 Uncontrolled Port transmission and reception 6.4.2 Controlled Port transmission and reception 6.4.3 PAC management
49	6.5 Link aggregation
50	6.6 Use of this standard by IEEE Std 802.11
51	7. Port-based network access control applications 7.1 Host access with physically secure LANs
52	7.1.1 Assumptions and requirements 7.1.2 System configuration and operation
53	7.1.3 Connectivity to unauthenticated systems
54	7.2 Infrastructure support with physically secure LANs
55	7.2.1 Assumptions and requirements
56	7.2.2 System configuration and operation 7.3 Host access with MACsec and point-to-point LANs 7.3.1 Assumptions and requirements
57	7.3.2 System configuration and operation 7.3.3 Connectivity to unauthenticated systems 7.4 Use with MACsec to support infrastructure LANs
58	7.4.1 Assumptions and requirements 7.4.2 System configuration and operation 7.4.3 Connectivity to unauthenticated systems
59	7.5 Host access with MACsec and a multi-access LAN
60	7.5.1 Assumptions and requirements 7.5.2 System configuration and operation 7.5.3 Connectivity to unauthenticated systems
62	7.6 Group host access with MACsec
63	7.6.1 Assumptions and requirements 7.6.2 System configuration and operation 7.7 Use with MACsec to support virtual shared media infrastructure LANs
64	7.7.1 Assumptions and requirements 7.7.2 System configuration and operation
66	8. Authentication using EAP
67	8.1 PACP Overview
68	8.2 Example EAP exchanges
69	8.3 PAE higher layer interface
70	8.4 PAE Client interface
72	8.5 EAPOL transmit and receive 8.6 Supplicant and Authenticator PAE timers
73	8.7 Supplicant PACP state machine, variables, and procedures 8.8 Supplicant PAE counters
75	8.9 Authenticator PACP state machine, variables, and procedures
76	8.10 Authenticator PAE counters 8.11 EAP methods 8.11.1 MKA and EAP methods
77	8.11.2 Integration with IEEE Std 802.1AR and EAP methods
78	9. MACsec Key Agreement protocol (MKA)
79	9.1 Protocol design requirements
80	9.2 Protocol support requirements 9.2.1 Random number generation 9.2.2 SC identification 9.3 MKA key hierarchy 9.3.1 CAK identification
81	9.3.2 CAK Independence 9.3.3 Derived keys
82	9.4 MKA transport
83	9.4.1 Message authentication 9.4.2 Member identification and message numbers
84	9.4.3 Determining liveness 9.4.4 MKPDU information elements and application data 9.4.5 Addressing
85	9.5 Key server election
86	9.5.1 MKPDU application data 9.6 Use of MACsec
87	9.6.1 MKPDU application data 9.7 Cipher suite selection 9.7.1 MKPDU application data 9.8 SAK generation, distribution, and selection
89	9.8.1 SAK generation 9.8.2 Use of AES Key Wrap 9.8.3 MKPDU application data 9.9 SA assignment
90	9.9.1 MKPDU application data 9.10 SAK installation and use 9.10.1 MKPDU application data
91	9.11 Connectivity change detection 9.12 CA formation and group CAK distribution 9.12.1 Use of AES Key Wrap 9.12.2 MKPDU application data
92	9.13 Secure announcements 9.13.1 MKPDU application data 9.14 MKA participant creation and deletion
93	9.15 MKA participant timer values
94	9.16 MKA management
96	9.17 MKA SAK distribution examples 9.17.1 Two participants 9.17.2 Another participant joins
98	10. Network announcements 10.1 Announcement information
101	10.2 Making and requesting announcements
103	10.3 Receiving announcements 10.4 Managing announcements
105	11. EAPOL PDUs 11.1 EAPOL PDU transmission, addressing, and protocol identification 11.1.1 Destination MAC address
106	11.1.2 Source MAC address
107	11.1.3 Priority 11.1.4 Ethertype use and encoding 11.2 Representation and encoding of octets
108	11.3 Common EAPOL PDU structure 11.3.1 Protocol Version 11.3.2 Packet Type
109	11.3.3 Packet Body Length 11.3.4 Packet Body 11.4 Validation of received EAPOL PDUs
110	11.5 EAPOL protocol version handling
111	11.6 EAPOL-Start
112	11.7 EAPOL-Logoff 11.8 EAPOL-EAP 11.9 EAPOL-Key
113	11.10 EAPOL-Encapsulated-ASF-Alert 11.11 EAPOL-MKA
115	11.11.1 MKA parameter encoding
120	11.11.2 Validation of MKPDUs
121	11.11.3 Encoding MKPDUs 11.11.4 Decoding MKPDUs
122	11.12 EAPOL-Announcement
123	11.12.1 Network Identity (NID) Set TLV
124	11.12.2 Access Information TLV 11.12.3 MACsec Cipher Suites TLV
125	11.12.4 Key Management Domain TLV 11.12.5 Organizationally Specific and Organizationally Specific Set TLVs
126	11.12.6 Validation of EAPOL-Announcements 11.12.7 Encoding EAPOL-Announcements 11.12.8 Decoding EAPOL-Announcements
127	11.13 EAPOL-Announcement-Req
128	12. PAE operation 12.1 Model of operation
130	12.2 KaY interfaces
132	12.3 CP state machine interfaces 12.4 CP state machine
133	12.4.1 CP state machine variables and timers
134	12.5 Logon Process
136	12.5.1 Session statistics 12.6 CAK cache
137	12.7 Virtual port creation and deletion
138	12.8 EAPOL Transmit and Receive Process
139	12.8.1 EAPOL frame reception statistics 12.8.2 EAPOL frame reception diagnostics
140	12.8.3 EAPOL frame transmission statistics
141	12.9 PAE management 12.9.1 System level PAE management
142	12.9.2 Identifying PAEs and their capabilities 12.9.3 Initialization
144	13. PAE MIB 13.1 The Internet Standard Management Framework 13.2 Structure of the MIB 13.3 Relationship to other MIBs 13.3.1 System MIB Group 13.3.2 Relationship to the Interfaces MIB
146	13.3.3 Relationship to the MAC Security MIB
152	13.4 Security considerations
153	13.5 Definitions for PAE MIB
199	Annex A (normative) PICS proforma A.1 Introduction A.2 Abbreviations and special symbols
200	A.3 Instructions for completing the PICS proforma
202	A.4 PICS proforma for IEEE 802.1X
203	A.5 Major capabilities and options
204	A.6 PAE requirements and options A.7 Supplicant requirements and options
205	A.8 Authenticator requirements and options
206	A.9 MKA requirements and options
207	A.10 Announcement transmission requirements A.11 Announcement reception requirements A.12 Management and remote management
208	A.13 Virtual ports A.14 PAC
209	Annex B (informative) Bibliography
211	Annex C (normative) State diagram notation
213	Annex D (normative) Basic architectural concepts and terms D.1 Protocol entities, peers, layers, services, and clients D.2 Service interface primitives, parameters, and frames
214	D.3 Layer management interfaces D.4 Service access points, interface stacks, and ports
215	D.5 Media independent protocols and shims D.6 MAC Service clients
216	D.7 Stations and systems D.8 Connectionless connectivity and connectivity associations
217	Annex E (informative) IEEE 802.1X EAP and RADIUS usage guidelines E.1 EAP Session-Id E.2 RADIUS Attributes for IEEE 802 Networks
218	Annex F (informative) Support for ‘Wake-on-LAN’ protocols
219	Annex G (informative) Unsecured multi-access LANs
221	Annex H (informative) Test vectors H.1 KDF H.2 CAK Key Derivation
222	H.3 CKN Derivation H.4 KEK Derivation H.5 ICK Derivation
223	H.6 SAK Derivation
224	Annex I (informative) IEEE list of participants
226	Blank Page

Published By	Publication Date	Number of Pages
IEEE	2013


PDF Format	Searchable	Printable	Preview Now

Standard Title	IEEE/ISO/IEC Information technology — Telecommunications and information exchange between systems — Local and metropolitan area networks — Part 1X: Port-based network access control
Published Code	IEEE
Publication Date	2013

IEEE 8802-1X-2013

PDF Catalog

Related products