Telecommunications and exchange between information technology systems — Requirements for local and metropolitan area networks — Part 1X: Port-based network access control

Port-based network access control allows a network administrator to restrict the use of IEEE 802 local area network (LAN) service access points (ports) to secure communication between authenticated and authorized devices. ISO/IEC/IEEE 8802-1X:2013 specifies a common architecture, functional elements, and protocols that support mutual authentication between the clients of ports attached to the same LAN and that secure communication between the ports, including the media access method independent protocols that are used to discover and establish the security associations used by ISO/IEC/IEEE 8802.1AE MAC Security.

Télécommunications et échange entre systèmes informatiques — Exigences pour les réseaux locaux et métropolitains — Partie 1X: Contrôle d'accès au réseau basé sur le port

General Information

Status
Withdrawn
Publication Date
25-Nov-2013
Withdrawal Date
25-Nov-2013
Current Stage
9599 - Withdrawal of International Standard
Completion Date
15-Dec-2021
Ref Project

Relations

Buy Standard

Standard
ISO/IEC/IEEE 8802-1X:2013 - Telecommunications and exchange between information technology systems -- Requirements for local and metropolitan area networks
English language
207 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO/IEC/
STANDARD IEEE
8802-1X
First edition
2013-12-01


Information technology —
Telecommunications and information
exchange between systems — Local and
metropolitan area networks —
Part 1X:
Port-based network access control
Technologies de l'information — Télécommunications et échange
d'information entre systèmes — Réseaux locaux et métropolitains —
Partie 1X: Contrôle d'accès au réseau basé sur le port




Reference number
ISO/IEC/IEEE 8802-1X:2013(E)

©
IEEE 2010

---------------------- Page: 1 ----------------------
ISO/IEC/IEEE 8802-1X:2013(E)

COPYRIGHT PROTECTED DOCUMENT


©  IEEE 2010
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any
means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without permission in writing from ISO,
IEC or IEEE at the respective address below.
ISO copyright office IEC Central Office Institute of Electrical and Electronics Engineers, Inc.
Case postale 56 3, rue de Varembé 3 Park Avenue, New York
CH-1211 Geneva 20 CH-1211 Geneva 20 NY 10016-5997, USA
Tel. + 41 22 749 01 11 Switzerland E-mail stds.ipr@ieee.org
Fax + 41 22 749 09 47 E-mail inmail@iec.ch Web www.ieee.org
E-mail copyright@iso.org Web www.iec.ch
Web www.iso.org
Published in Switzerland

ii © IEEE 2010 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC/IEEE 8802-1X:2013(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees established
by the respective organization to deal with particular fields of technical activity. ISO and IEC technical
committees collaborate in fields of mutual interest. Other international organizations, governmental and non-
governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO
and IEC have established a joint technical committee, ISO/IEC JTC 1.
IEEE Standards documents are developed within the IEEE Societies and the Standards Coordinating
Committees of the IEEE Standards Association (IEEE-SA) Standards Board. The IEEE develops its standards
through a consensus development process, approved by the American National Standards Institute, which
brings together volunteers representing varied viewpoints and interests to achieve the final product. Volunteers
are not necessarily members of the Institute and serve without compensation. While the IEEE administers the
process and establishes rules to promote fairness in the consensus development process, the IEEE does not
independently evaluate, test, or verify the accuracy of any of the information contained in its standards.
The main task of ISO/IEC JTC 1 is to prepare International Standards. Draft International Standards adopted
by the joint technical committee are circulated to national bodies for voting. Publication as an International
Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is called to the possibility that implementation of this standard may require the use of subject matter
covered by patent rights. By publication of this standard, no position is taken with respect to the existence or
validity of any patent rights in connection therewith. ISO/IEEE is not responsible for identifying essential
patents or patent claims for which a license may be required, for conducting inquiries into the legal validity or
scope of patents or patent claims or determining whether any licensing terms or conditions provided in
connection with submission of a Letter of Assurance or a Patent Statement and Licensing Declaration Form, if
any, or in any licensing agreements are reasonable or non-discriminatory. Users of this standard are expressly
advised that determination of the validity of any patent rights, and the risk of infringement of such rights, is
entirely their own responsibility. Further information may be obtained from ISO or the IEEE Standards
Association.
ISO/IEC/IEEE 8802-1X was prepared by the LAN/MAN Standards Committee of the IEEE Computer Society
(as IEEE Std 802.1X-2010). It was adopted by Joint Technical Committee ISO/IEC JTC 1, Information
technology, Subcommittee SC 6, Telecommunications and information exchange between systems, in parallel
with its approval by the ISO/IEC national bodies, under the “fast-track procedure” defined in the Partner
Standards Development Organization cooperation agreement between ISO and IEEE. IEEE is responsible for
the maintenance of this document with participation and input from ISO/IEC national bodies.
ISO/IEC/IEEE 8802 consists of the following parts, under the general title Information technology —
Telecommunications and information exchange between systems — Local and metropolitan area networks:
— Part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications
— Part 1X: Port-based network access control
— Part 1AE: Media access control (MAC) security
— Part 15-4: Wireless medium access control (MAC) and physical layer (PHY) specifications for low-rate
wireless personal area networks (WPANs)
© IEEE 2010 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC/IEEE 8802-1X:2013(E)

(Blank page)
iv © IEEE 2010 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC/IEEE 8802-1X:2013(E)
�����������������
� ��������������������������������������
����!�����"�������#������$������
�����$���%����������&
����������������
� !"# !���$��$����%�&&�����
����
’�($�)� ���*��
���������������������
!�+�,��)-�!,�����.�/001-�2� ��
������������
����������������������
/�3���*$�������
Copyright © 2010 IEEE. All rights reserved.
v
4#
������

---------------------- Page: 5 ----------------------
ISO/IEC/IEEE 8802-1X:2013(E)
(Blank page)
vi Copyright © 2010 IEEE. All rights reserved.

---------------------- Page: 6 ----------------------
ISO/IEC/IEEE 8802-1X:2013(E)

IEEE Std 802.1X -2010
(Revision of
IEEE Std 802.1X-2004)
IEEE Standard for
Local and metropolitan area networks—
Port-Based Network Access Control
Sponsor
LAN/MAN Standards Committee
of the
IEEE Computer Society
Approved 2 February 2010
IEEE-SA Standards Board
Copyright © 2010 IEEE. All rights reserved.
vii

---------------------- Page: 7 ----------------------
ISO/IEC/IEEE 8802-1X:2013(E)
Abstract: Port-based network access control allows a network administrator to restrict the use of
®
IEEE 802 LAN service access points (ports) to secure communication between authenticated and
authorized devices. This standard specifies a common architecture, functional elements, and
protocols that support mutual authentication between the clients of ports attached to the same LAN
and that secure communication between the ports, including the media access method
independent protocols that are used to discover and establish the security associations used by

IEEE 802.1AE MAC Security.
Keywords: access control, authentication, authorization, controlled port, key agreement, LANs,
local area networks, MAC security, MAC Service, MANs, metropolitan area networks, port-based
network access control, secure association, security, service access point, uncontrolled port
The Institute of Electrical and Electronics Engineers, Inc.
3 Park Avenue, New York, NY 10016-5997, USA
Copyright © 2010 by the Institute of Electrical and Electronics Engineers, Inc.
All rights reserved. Published 5 February 2010. Printed in the United States of America
IEEE and 802 are registered trademarks in the U.S. Patent & Trademark Office, owned by The Institute of Electrical and
Electronics Engineers, Incorporated.
PDF: ISBN 978-0-7381-6145-7 STD96008
Print: ISBN 978-0-7381-6146-4 STDPD96008
IEEE prohibits discrimination, harassment, and bullying. For more information, visit http://www.ieee.org/web/aboutus/
whatis/policies/p9-26.html.
No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without the prior
written permission of the publisher.
Copyright © 2010 IEEE. All rights reserved.
viii

---------------------- Page: 8 ----------------------
ISO/IEC/IEEE 8802-1X:2013(E)
IEEE Standards documents are developed within the IEEE Societies and the Standards Coordinating Committees of the
IEEE Standards Association (IEEE-SA) Standards Board. The IEEE develops its standards through a consensus
development process, approved by the American National Standards Institute, which brings together volunteers
representing varied viewpoints and interests to achieve the final product. Volunteers are not necessarily members of the
Institute and serve without compensation. While the IEEE administers the process and establishes rules to promote fairness
in the consensus development process, the IEEE does not independently evaluate, test, or verify the accuracy of any of the
information or the soundness of any judgments contained in its standards.
Use of an IEEE Standard is wholly voluntary. The IEEE disclaims liability for any personal injury, property or other
damage, of any nature whatsoever, whether special, indirect, consequential, or compensatory, directly or indirectly resulting
from the publication, use of, or reliance upon this, or any other IEEE Standard document.
The IEEE does not warrant or represent the accuracy or content of the material contained herein, and expressly disclaims
any express or implied warranty, including any implied warranty of merchantability or fitness for a specific purpose, or that
the use of the material contained herein is free from patent infringement. IEEE Standards documents are supplied “AS IS.”
The existence of an IEEE Standard does not imply that there are no other ways to produce, test, measure, purchase, market,
or provide other goods and services related to the scope of the IEEE Standard. Furthermore, the viewpoint expressed at the
time a standard is approved and issued is subject to change brought about through developments in the state of the art and
comments received from users of the standard. Every IEEE Standard is subjected to review at least every five years for
revision or reaffirmation, or every ten years for stabilization. When a document is more than five years old and has not been
reaffirmed, or more than ten years old and has not been stabilized, it is reasonable to conclude that its contents, although still
of some value, do not wholly reflect the present state of the art. Users are cautioned to check to determine that they have the
latest edition of any IEEE Standard.
In publishing and making this document available, the IEEE is not suggesting or rendering professional or other services
for, or on behalf of, any person or entity. Nor is the IEEE undertaking to perform any duty owed by any other person or
entity to another. Any person utilizing this, and any other IEEE Standards document, should rely upon the advice of a
competent professional in determining the exercise of reasonable care in any given circumstances.
Interpretations: Occasionally questions may arise regarding the meaning of portions of standards as they relate to specific
applications. When the need for interpretations is brought to the attention of IEEE, the Institute will initiate action to prepare
appropriate responses. Since IEEE Standards represent a consensus of concerned interests, it is important to ensure that any
interpretation has also received the concurrence of a balance of interests.For this reason, IEEE and the members of its
societies and Standards Coordinating Committees are not able to provide an instant response to interpretation requests
except in those cases where the matter has previously received formal consideration. A statement, written or oral, that is not
processed in accordance with the IEEE-SA Standards Board Operations Manual shall not be considered the official position
of IEEE or any of its committees and shall not be considered to be, nor be relied upon as, a formal interpretation of the
IEEE.At lectures, symposia, seminars, or educational courses, an individual presenting information on IEEE standards shall
make it clear that his or her views should be considered the personal views of that individual rather than the formal position,
explanation, or interpretation of the IEEE. Comments for revision of IEEE Standards are welcome from any interested
party, regardless of membership affiliation with IEEE. Suggestions for changes in documents should be in the form of a
proposed change of text, together with appropriate supporting comments. Recommendations to change the status of a
stabilized standard should include a rationale as to why a revision or withdrawal is required.
Comments and recommendations on standards, and requests for interpretations should be addressed to:
Secretary, IEEE-SA Standards Board
445 Hoes Lane
Piscataway, NJ 08854
USA
Authorization to photocopy portions of any individual standard for internal or personal use is granted by the Institute of
Electrical and Electronics Engineers, Inc., provided that the appropriate fee is paid to Copyright Clearance Center. To
arrange for payment of licensing fee, please contact Copyright Clearance Center, Customer Service, 222 Rosewood Drive,
Danvers, MA 01923 USA; +1 978 750 8400. Permission to photocopy portions of any individual standard for educational
classroom use can also be obtained through the Copyright Clearance Center.
Copyright © 2010 IEEE. All rights reserved.
ix

---------------------- Page: 9 ----------------------
ISO/IEC/IEEE 8802-1X:2013(E)
Introduction

This introduction is not part of IEEE Std 802.1X-2010, IEEE Standard for Local and Metropolitan Area
Networks—Port-Based Network Access Control.
Port-based network access control allows a network administrator to restrict the use of IEEE 802 LAN
service access points (ports) to secure communication between authenticated and authorized devices. IEEE
Std 802.1X specifies an architecture, functional elements, and protocols that support mutual authentication
between the clients of ports attached to the same LAN and secure communication between the ports.
The first edition of IEEE Std 802.1X was published in 2001. The second edition, IEEE Std 802.1X-2004,
clarified areas related to mutual authentication and the interface between IEEE 802.1X specified state

machine, and those specified by the Extensible Authentication Protocol (EAP), and by IEEE Std 802.11 in
support of IEEE Std 802.1X.

Work on this edition, IEEE Std 802.1X-2010, began as IEEE P802.1af —an amendment to specify
authenticated key agreement in support of IEEE 802.1AE MAC Security. Part of that work clarified and
generalized the relationship between the common architecture specified for port-based network access
control, and the functional elements and protocols that support that architecture as specified in IEEE Std
802.1X, other IEEE 802 Standards, and in IETF RFCs. The extent of the changes necessary to IEEE Std
802.1X-2004 made it appropriate to revise IEEE Std 802.1X as a whole. Further changes updated the
standard to reflect best current practice, insisting, for example, upon mutual authentication methods and
using such methods in examples. A greater emphasis is placed on the security of systems accessing the
network, as well as upon the security of the network accessed, and some prior provisions, such as the
‘controlled directions’ parameters, have been removed and replaced with a more comprehensive treatment
of segregating and limiting connectivity to unauthenticated systems.
Every effort has been made to maintain interoperability, without prior configuration, with implementations
conforming to IEEE Std 802.1X-2004 and IEEE Std 802.1X-2001. However it is anticipated that claims of
conformance in respect of some existing implementations will continue to refer to IEEE Std 802.1X-2004.
Changes to the functionality provided by that prior edition and its documentation include those detailed in
the following paragraph.
This edition, IEEE Std 802.1X-2010, describes applications of port-based network access that use IEEE
802.1AE MAC Security (MACsec) and/or MKA (MACsec Key Agreement protocol) as well as those
previously supported. The specification of the use of EAP for authentication has been updated, enforcing a
stricter separation between the port access control protocol (PACP), local to the Supplicant and
Authenticator, and the EAP state machines proper. Details of particular EAP methods are no longer
interpreted by the PACP machines. The existing EAPOL (EAP over LANs) PDU formats have not been
modified, but additional EAPOL PDUs have been added to support MKA and the specification of EAPOL
improved. The bibliography, previously Annex F, has been moved to Annex B. The discussions previously
in Annex B and Annex C have been updated and integrated into the main body of the standard. The state
machine diagram and language conventions, now used by a number of clauses in the standard, have been
moved to a new Annex C.
Notice to users
Laws and regulations
Users of these documents should consult all applicable laws and regulations. Compliance with the
provisions of this standard does not imply compliance to any applicable regulatory requirements.
x Copyright © 2010 IEEE. All rights reserved.

---------------------- Page: 10 ----------------------
ISO/IEC/IEEE 8802-1X:2013(E)
Implementers of the standard are responsible for observing or referring to the applicable regulatory
requirements. IEEE does not, by the publication of its standards, intend to urge action that is not in
compliance with applicable laws, and these documents may not be construed as doing so.
Copyrights
This document is copyrighted by the IEEE. It is made available for a wide variety of both public and private
uses. These include both use, by reference, in laws and regulations, and use in private self-regulation,
standardization, and the promotion of engineering practices and methods. By making this document
available for use and adoption by public authorities and private users, the IEEE does not waive any rights in
copyright to this document.
Updating of IEEE documents
Users of IEEE standards should be aware that these documents may be superseded at any time by the
issuance of new editions or may be amended from time to time through the issuance of amendments,
corrigenda, or errata. An official IEEE document at any point in time consists of the current edition of the
document together with any amendments, corrigenda, or errata then in effect. In order to determine whether
a given document is the current edition and whether it has been amended through the issuance of
amendments, corrigenda, or errata, visit the IEEE Standards Association website at http://
ieeexplore.ieee.org/xpl/standards.jsp, or contact the IEEE at the address listed previously.
For more information about the IEEE Standards Association or the IEEE standards development process,
visit the IEEE-SA website at http://standards.ieee.org.
Errata
Errata, if any, for this and all other standards can be accessed at the following URL: http://
standards.ieee.org/reading/ieee/updates/errata/index.html. Users are encouraged to check this URL for
errata periodically.
Interpretations
Current interpretations can be accessed at the following URL: http://standards.ieee.org/reading/ieee/interp/
index.html.
Patents
Attention is called to the possibility that implementation of this amendment may require use of subject
matter covered by patent rights. By publication of this amendment, no position is taken with respect to the
existence or validity of any patent rights in connection therewith. The IEEE is not responsible for identifying
Essential Patent Claims for which a license may be required, for conducting inquiries into the legal validity
or scope of Patents Claims or determining whether any licensing terms or conditions provided in connection
with submission of a Letter of Assurance, if any, or in any licensing agreements are reasonable or non-
discriminatory. Users of this amendment are expressly advised that determination of the validity of any
patent rights, and the risk of infringement of such rights, is entirely their own responsibility. Further
information may be obtained from the IEEE Standards Association.
Copyright © 2010 IEEE. All rights reserved. xi

---------------------- Page: 11 ----------------------
ISO/IEC/IEEE 8802-1X:2013(E)
Contents
1. Overview. 1
1.1 Scope. 1
1.2 Purpose. 1
1.3 Introduction. 2
1.4 Provisions of this standard. 2
2. Normative references. 4
3. Definitions . 6
4. Acronyms and abbreviations . 10
5. Conformance. 12
5.1 Requirements terminology.12
5.2 Protocol Implementation Conformance Statement. 12
5.3 Conformant systems and system components . 13
5.4 PAE requirements . 13
5.5 PAE options . 14
5.6 Supplicant requirements . 14
5.7 Supplicant options. 14
5.8 Authenticator requirements. 14
5.9 Authenticator options. 14
5.10 MKA requirements . 15
5.11 MKA options . 15
5.12 Virtual port requirements. 16
5.13 Virtual port options. 16
5.14 Announcement transmission requirements. 16
5.15 Announcement transmission options . 17
5.16 Announcement reception requirements . 17
5.17 Announcement reception options . 17
5.18 Requirements for SNMP access to the PAE MIB . 17
5.19 Options for SNMP access to the PAE MIB. 17
5.20 PAC requirements. 17
5.21 System recommendations .18
5.22 Prohibitions. 18
6. Principles of port-based network access control operation . 19
6.1 Port-based network access control architecture. 19
6.2 Key hierarchy. 21
6.3 Port Access Entity (PAE) . 25
6.4 Port Access Controller (PAC). 29
6.5 Link aggregation . 31
6.6 Use of this standard by IEEE Std 802.11. 32
7. Port-based network access control applications .33
7.1 Host access with physically secure LANs . 33
7.2 Infrastructure support with physically secure LANs . 36
7.3 Host access with MACsec and point-to-point LANs. 38
7.4 Use with MACsec to support infrastructure LANs . 39
7.5 Host access with MACsec and a multi-access LAN. 41
xii Copyright © 2010 IEEE. All rights reserved.

---------------------- Page: 12 ----------------------
ISO/IEC/IEEE 8802-1X:2013(E)
7.6 Group host access with MACsec . 44
7.7 Use with MACsec to support virtual shared media infrastructure LANs. 45
8. Authentication using EAP . 48
8.1 PACP Overview. 49
8.2 Example EAP exchanges . 50
8.3 PAE higher layer interface. 51
8.4 PAE Client interface . 52
8.5 EAPOL transmit and receive . 54
8.6 Supplicant and Authenticator PAE timers . 54
8.7 Supplicant PACP state machine, variables, and procedures. 55
8.8 Supplicant PAE counters . 55
8.9 Authenticator PACP state machine, variables, and procedures. 57
8.10 Authenticator PAE counters .58
8.11 EAP methods . 58
9. MACsec Key Agreement protocol (MKA) . 60
9.1 Protocol design requirements.61
9.2 Protocol support requirements . 62
9.3 MKA key hierarchy . 62
9.4 MKA transport. 64
9.5 Key server election . 67
9.6 Use of MACsec. 68
9.7 Cipher suite selection. 69
9.8 SAK generation, distribution, and selection . 69
9.9 SA assignment .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.