The 7705 SAR supports network access control over client devices on an Ethernet network using the IEEE 802.1x standard. 802.1x is a standard for authenticating Ethernet devices before they can access the network. In the case of the 7705 SAR, authentication is performed using Extensible Authentication Protocol (EAP) over LAN (EAPOL).
802.1x provides protection against unauthorized access by forcing the device connected to the 7705 SAR to go through an authentication phase before it is able to send any non-EAP packets. Only EAPOL frames can be exchanged between the aggregation device (called the authenticator; for example, the 7705 SAR) and the customer device (called the supplicant) until authentication is successfully completed. The 7705 SAR enables the port after successful authentication. While the port is unauthenticated, the port will be ‟down” to all upper layer protocols or services.
A typical use for EAPOL would involve a 7705 SAR and some type of Ethernet device, such as a laptop, a set-top box, or a Node B. An authentication server would negotiate with the Ethernet device through the 7705 SAR (whose role is authenticator). For example, a technician using a laptop to gain access to his or her network at a cell site would have his or her laptop subject to the 802.1x access control, just as the Node B would. In every case, the Ethernet device connected to the 7705 SAR must negotiate for network access. Essentially, with EAPOL in use, any Ethernet device that connects to the 7705 SAR must negotiate for permission to send traffic through the 7705 SAR Ethernet port.
The 7705 SAR supports the following EAP methods: MD5, TLS, TTLS, and PEAPv0.
MAC authentication can be used to authenticate client devices that do not support EAP. For more information, see MAC Authentication.
This section describes the following: