Already a subscriber? 
MADCAD.com Free Trial
Sign up for a 3 day free trial to explore the MADCAD.com interface, PLUS access the
2009 International Building Code to see how it all works.
If you like to setup a quick demo, let us know at support@madcad.com
or +1 800.798.9296 and we will be happy to schedule a webinar for you.
Security check
Please login to your personal account to use this feature.
Please login to your authorized staff account to use this feature.
Are you sure you want to empty the cart?
IEEE/ISO/IEC International Standard-Telecommunications and exchange between information technology systems--Requirements for local and metropolitan area networks--Part 1X:Port-based network access control, 2021
- IEEE Std 802.1X-2020 Front Cover
- Title page
- Important Notices and Disclaimers Concerning IEEE Standards Documents
- Participants
- Introduction
- Contents [Go to Page]
- Figures
- Tables
- 1. Overview [Go to Page]
- 1.1 Scope
- 1.2 Purpose
- 1.3 Introduction
- 1.4 Provisions of this standard
- 2. Normative references
- 3. Definitions
- 4. Acronyms and abbreviations
- 5. Conformance [Go to Page]
- 5.1 Requirements terminology
- 5.2 Protocol Implementation Conformance Statement
- 5.3 Conformant systems and system components
- 5.4 PAE requirements
- 5.5 PAE options
- 5.6 Supplicant requirements
- 5.7 Supplicant options [Go to Page]
- 5.7.1 Integration with IEEE Std 802.1AR
- 5.8 Authenticator requirements
- 5.9 Authenticator options [Go to Page]
- 5.9.1 Integration with IEEE Std 802.1AR
- 5.10 MKA requirements
- 5.11 MKA options [Go to Page]
- 5.11.1 Support for PSKs
- 5.11.2 Key Server support for Group CAs
- 5.11.3 CAK Cache
- 5.11.4 In-service upgrades
- 5.12 Virtual port requirements
- 5.13 Virtual port options
- 5.14 Announcement transmission requirements
- 5.15 Announcement transmission options
- 5.16 Announcement reception requirements
- 5.17 Announcement reception options
- 5.18 Requirements for SNMP access to the PAE MIB
- 5.19 Options for SNMP access to the PAE MIB
- 5.20 PAC requirements
- 5.21 System recommendations
- 5.22 Prohibitions
- 5.23 Requirement for YANG data model of a PAE
- 5.24 Options for YANG data model of a PAE
- 6. Principles of port-based network access control operation [Go to Page]
- 6.1 Port-based network access control architecture
- 6.2 Key hierarchy [Go to Page]
- 6.2.1 Key derivation function (KDF)
- 6.2.2 Using EAP for CAK key derivation
- 6.2.3 CAK caching and scope
- 6.2.4 Algorithm agility
- 6.3 Port Access Entity (PAE) [Go to Page]
- 6.3.1 Authentication exchanges
- 6.3.2 Key agreement
- 6.3.3 Pre-shared keys
- 6.3.4 Interoperability and connectivity
- 6.3.5 Network announcements, identity, authentication requirements, and status
- 6.3.6 Multi-access LANs
- 6.4 Port Access Controller (PAC) [Go to Page]
- 6.4.1 Uncontrolled Port transmission and reception
- 6.4.2 Controlled Port transmission and reception
- 6.4.3 PAC management
- 6.5 Link aggregation
- 6.6 Use of this standard by IEEE Std 802.11
- 7. Port-based network access control applications [Go to Page]
- 7.1 Host access with physically secure LANs [Go to Page]
- 7.1.1 Assumptions and requirements
- 7.1.2 System configuration and operation
- 7.1.3 Connectivity to unauthenticated systems
- 7.2 Infrastructure support with physically secure LANs [Go to Page]
- 7.2.1 Assumptions and requirements
- 7.2.2 System configuration and operation
- 7.3 Host access with MACsec and point-to-point LANs [Go to Page]
- 7.3.1 Assumptions and requirements
- 7.3.2 System configuration and operation
- 7.3.3 Connectivity to unauthenticated systems
- 7.4 Use with MACsec to support infrastructure LANs [Go to Page]
- 7.4.1 Assumptions and requirements
- 7.4.2 System configuration and operation
- 7.4.3 Connectivity to unauthenticated systems
- 7.5 Host access with MACsec and a multi-access LAN [Go to Page]
- 7.5.1 Assumptions and requirements
- 7.5.2 System configuration and operation
- 7.5.3 Connectivity to unauthenticated systems
- 7.6 Group host access with MACsec [Go to Page]
- 7.6.1 Assumptions and requirements
- 7.6.2 System configuration and operation
- 7.7 Use with MACsec to support virtual shared media infrastructure LANs [Go to Page]
- 7.7.1 Assumptions and requirements
- 7.7.2 System configuration and operation
- 8. Authentication using EAP [Go to Page]
- 8.1 PACP Overview
- 8.2 Example EAP exchanges
- 8.3 PAE higher layer interface
- 8.4 PAE Client interface
- 8.5 EAPOL transmit and receive
- 8.6 Supplicant and Authenticator PAE timers
- 8.7 Supplicant PACP state machine, variables, and procedures
- 8.8 Supplicant PAE counters
- 8.9 Authenticator PACP state machine, variables, and procedures
- 8.10 Authenticator PAE counters
- 8.11 EAP methods [Go to Page]
- 8.11.1 MKA and EAP methods
- 8.11.2 Integration with IEEE Std 802.1AR and EAP methods
- 9. MACsec Key Agreement protocol (MKA) [Go to Page]
- 9.1 Protocol design requirements
- 9.2 Protocol support requirements [Go to Page]
- 9.2.1 Random number generation
- 9.2.2 SC identification
- 9.3 MKA key hierarchy [Go to Page]
- 9.3.1 CAK identification
- 9.3.2 CAK Independence
- 9.3.3 Derived keys
- 9.4 MKA transport [Go to Page]
- 9.4.1 Message authentication
- 9.4.2 Member identification and message numbers
- 9.4.3 Determining liveness
- 9.4.4 MKPDU information elements and application data
- 9.4.5 Addressing
- 9.4.6 Active and passive participants
- 9.5 Key server election [Go to Page]
- 9.5.1 MKPDU application data
- 9.6 Use of MACsec [Go to Page]
- 9.6.1 MKPDU application data
- 9.7 Cipher suite selection [Go to Page]
- 9.7.1 MKPDU application data
- 9.8 SAK generation, distribution, and selection [Go to Page]
- 9.8.1 SAK generation
- 9.8.2 Use of AES Key Wrap
- 9.8.3 MKPDU application data
- 9.9 SA assignment [Go to Page]
- 9.9.1 MKPDU application data
- 9.10 SAK installation and use [Go to Page]
- 9.10.1 MKPDU application data
- 9.11 Connectivity change detection
- 9.12 CA formation and group CAK distribution [Go to Page]
- 9.12.1 Use of AES Key Wrap
- 9.12.2 MKPDU application data
- 9.13 Secure announcements [Go to Page]
- 9.13.1 MKPDU application data
- 9.14 MKA participant creation and deletion
- 9.15 MKA participant timer values
- 9.16 MKA management
- 9.17 MKA SAK distribution examples [Go to Page]
- 9.17.1 Two participants
- 9.17.2 Another participant joins
- 9.18 In-service upgrades [Go to Page]
- 9.18.1 Initiating suspension
- 9.18.2 Suspending
- 9.18.3 Suspended members
- 9.18.4 Resuming operation
- 9.18.5 XPN support
- 9.18.6 Managing in-service upgrades
- 9.18.7 MKPDU application data
- 9.19 In-service upgrade examples [Go to Page]
- 9.19.1 Requested by end station in point-to-point CA
- 9.19.2 Initiated by Key Server in point-to-point CA
- 9.19.3 Intermediate systems suspending multiple CAs
- 9.19.4 Key Server suspends in a group CA
- 10. Network announcements [Go to Page]
- 10.1 Announcement information
- 10.2 Making and requesting announcements
- 10.3 Receiving announcements
- 10.4 Managing announcements
- 11. EAPOL PDUs [Go to Page]
- 11.1 EAPOL PDU transmission, addressing, and protocol identification [Go to Page]
- 11.1.1 Destination MAC address
- 11.1.2 Source MAC address
- 11.1.3 Priority
- 11.1.4 Ethertype use and encoding
- 11.2 Representation and encoding of octets
- 11.3 Common EAPOL PDU structure [Go to Page]
- 11.3.1 Protocol Version
- 11.3.2 Packet Type
- 11.3.3 Packet Body Length
- 11.3.4 Packet Body
- 11.4 Validation of received EAPOL PDUs
- 11.5 EAPOL protocol version handling
- 11.6 EAPOL-Start
- 11.7 EAPOL-Logoff
- 11.8 EAPOL-EAP
- 11.9 EAPOL-Key
- 11.10 EAPOL-Encapsulated-ASF-Alert
- 11.11 EAPOL-MKA [Go to Page]
- 11.11.1 MKA parameter encoding
- 11.11.2 Validation of MKPDUs
- 11.11.3 Encoding MKPDUs
- 11.11.4 Decoding MKPDUs
- 11.12 EAPOL-Announcement [Go to Page]
- 11.12.1 Network Identity (NID) Set TLV
- 11.12.2 Access Information TLV
- 11.12.3 MACsec Cipher Suites TLV
- 11.12.4 Key Management Domain TLV
- 11.12.5 Organizationally Specific and Organizationally Specific Set TLVs
- 11.12.6 Validation of EAPOL-Announcements
- 11.12.7 Encoding EAPOL-Announcements
- 11.12.8 Decoding EAPOL-Announcements
- 11.13 EAPOL-Announcement-Req
- 12. PAE operation [Go to Page]
- 12.1 Model of operation
- 12.2 KaY interfaces
- 12.3 CP state machine interfaces
- 12.4 CP state machine [Go to Page]
- 12.4.1 CP state machine variables and timers
- 12.5 Logon Process [Go to Page]
- 12.5.1 Controlling connectivity
- 12.5.2 Active and passive participation
- 12.5.3 Network Identities
- 12.5.4 Session statistics
- 12.6 CAK cache
- 12.7 Virtual port creation and deletion
- 12.8 EAPOL Transmit and Receive Process [Go to Page]
- 12.8.1 EAPOL frame reception statistics
- 12.8.2 EAPOL frame reception diagnostics
- 12.8.3 EAPOL frame transmission statistics
- 12.9 PAE management [Go to Page]
- 12.9.1 System level PAE management
- 12.9.2 Identifying PAEs and their capabilities
- 12.9.3 Initialization
- 13. PAE MIB [Go to Page]
- 13.1 The Internet Standard Management Framework
- 13.2 Structure of the MIB
- 13.3 Relationship to other MIBs [Go to Page]
- 13.3.1 System MIB Group
- 13.3.2 Relationship to the Interfaces MIB
- 13.3.3 Relationship to the MAC Security MIB
- 13.4 Security considerations
- 13.5 Definitions for PAE MIB
- 14. YANG Data Model [Go to Page]
- 14.1 PAE management using YANG
- 14.2 Security considerations
- 14.3 802.1X YANG model structure
- 14.4 Relationship to other YANG data models [Go to Page]
- 14.4.1 General
- 14.4.2 Relationship to the System Management YANG model
- 14.4.3 Relationship to the Interface Management YANG model
- 14.4.4 The Interface Stack Models
- 14.5 Definition of the IEEE 802.1X YANG data model [Go to Page]
- 14.5.1 ieee802-dot1x YANG tree schema
- 14.5.2 ieee802-dot1x-types YANG module
- 14.5.3 ieee802-dot1x YANG module definition
- 14.6 YANG data model use in network access control applications [Go to Page]
- 14.6.1 General
- 14.6.2 Host access with a physically secure point-to-point LAN (7.1)
- 14.6.3 Network access point supporting a physically secure point-to-point LAN (7.1)
- 14.6.4 Network access point supporting MACsec on a point-to-point LAN (7.3)
- 14.6.5 Network access point supporting MACsec on a multi-access LAN (7.5)
- 14.6.6 Network access point supporting MACsec over LAG (11.5 of IEEE Std 802.1AE-2018)
- Annex A (normative) PICS proforma [Go to Page]
- A.1 Introduction
- A.2 Abbreviations and special symbols
- A.3 Instructions for completing the PICS proforma
- A.4 PICS proforma for IEEE 802.1X
- A.5 Major capabilities and options
- A.6 PAE requirements and options
- A.7 Supplicant requirements and options
- A.8 Authenticator requirements and options
- A.9 MKA requirements and options
- A.10 Announcement transmission requirements
- A.11 Announcement reception requirements
- A.12 Management and remote management
- A.13 Virtual ports
- A.14 PAC
- A.15 YANG requirements and options
- Annex B (informative) Bibliography
- Annex C (normative) State diagram notation
- Annex D (informative) IEEE 802.1X EAP and RADIUS usage guidelines [Go to Page]
- D.1 EAP Session-Id
- D.2 RADIUS Attributes for IEEE 802 Networks
- Annex E (informative) Support for ‘Wake-on-LAN’ protocols
- Annex F (informative) Unsecured multi-access LANs
- Annex G (informative) Test vectors [Go to Page]
- G.1 KDF
- G.2 CAK Key Derivation
- G.3 CKN Derivation
- G.4 KEK Derivation
- G.5 ICK Derivation
- G.6 SAK Derivation
- Back Cover
- Blank Page [Go to Page]
