Already a subscriber?
MADCAD.com Free Trial
Sign up for a 3 day free trial to explore the MADCAD.com interface, PLUS access the
2009 International Building Code to see how it all works.
If you like to setup a quick demo, let us know at support@madcad.com
or +1 800.798.9296 and we will be happy to schedule a webinar for you.
Security check
Please login to your personal account to use this feature.
Please login to your authorized staff account to use this feature.
Are you sure you want to empty the cart?
IEEE/ISO/IEC Information technology -- Telecommunications and information exchange between systems -- Local and metropolitan area networks -- Part 1X: Port-based network access control, 2013
- ISO/IEC/IEEE 8802-1X-2013 Front Cover [Go to Page]
- IEEE Std 802.1X-2010 Front cover
- Title page
- Introduction
- Notice to users [Go to Page]
- Laws and regulations
- Copyrights
- Updating of IEEE documents
- Errata
- Interpretations
- Patents
- Contents [Go to Page]
- List of figures
- List of tables
- Important notice
- 1. Overview [Go to Page]
- 1.1 Scope
- 1.2 Purpose
- 1.3 Introduction
- 1.4 Provisions of this standard
- 2. Normative references
- 3. Definitions
- 4. Acronyms and abbreviations
- 5. Conformance [Go to Page]
- 5.1 Requirements terminology
- 5.2 Protocol Implementation Conformance Statement
- 5.3 Conformant systems and system components
- 5.4 PAE requirements
- 5.5 PAE options
- 5.6 Supplicant requirements
- 5.7 Supplicant options [Go to Page]
- 5.7.1 Integration with IEEE Std 802.1AR
- 5.8 Authenticator requirements
- 5.9 Authenticator options [Go to Page]
- 5.9.1 Integration with IEEE Std 802.1AR
- 5.10 MKA requirements
- 5.11 MKA options [Go to Page]
- 5.11.1 Support for PSKs
- 5.11.2 Key Server support for Group CAs
- 5.11.3 CAK Cache
- 5.12 Virtual port requirements
- 5.13 Virtual port options
- 5.14 Announcement transmission requirements
- 5.15 Announcement transmission options
- 5.16 Announcement reception requirements
- 5.17 Announcement reception options
- 5.18 Requirements for SNMP access to the PAE MIB
- 5.19 Options for SNMP access to the PAE MIB
- 5.20 PAC requirements
- 5.21 System recommendations
- 5.22 Prohibitions
- 6. Principles of port-based network access control operation [Go to Page]
- 6.1 Port-based network access control architecture
- 6.2 Key hierarchy [Go to Page]
- 6.2.1 Key derivation function (KDF)
- 6.2.2 Using EAP for CAK key derivation
- 6.2.3 CAK caching and scope
- 6.2.4 Algorithm agility
- 6.3 Port Access Entity (PAE) [Go to Page]
- 6.3.1 Authentication exchanges
- 6.3.2 Key agreement
- 6.3.3 Pre-shared keys
- 6.3.4 Interoperability and connectivity
- 6.3.5 Network announcements, identity, authentication requirements, and status
- 6.3.6 Multi-access LANs
- 6.4 Port Access Controller (PAC) [Go to Page]
- 6.4.1 Uncontrolled Port transmission and reception
- 6.4.2 Controlled Port transmission and reception
- 6.4.3 PAC management
- 6.5 Link aggregation
- 6.6 Use of this standard by IEEE Std 802.11
- 7. Port-based network access control applications [Go to Page]
- 7.1 Host access with physically secure LANs [Go to Page]
- 7.1.1 Assumptions and requirements
- 7.1.2 System configuration and operation
- 7.1.3 Connectivity to unauthenticated systems
- 7.2 Infrastructure support with physically secure LANs [Go to Page]
- 7.2.1 Assumptions and requirements
- 7.2.2 System configuration and operation
- 7.3 Host access with MACsec and point-to-point LANs [Go to Page]
- 7.3.1 Assumptions and requirements
- 7.3.2 System configuration and operation
- 7.3.3 Connectivity to unauthenticated systems
- 7.4 Use with MACsec to support infrastructure LANs [Go to Page]
- 7.4.1 Assumptions and requirements
- 7.4.2 System configuration and operation
- 7.4.3 Connectivity to unauthenticated systems
- 7.5 Host access with MACsec and a multi-access LAN [Go to Page]
- 7.5.1 Assumptions and requirements
- 7.5.2 System configuration and operation
- 7.5.3 Connectivity to unauthenticated systems
- 7.6 Group host access with MACsec [Go to Page]
- 7.6.1 Assumptions and requirements
- 7.6.2 System configuration and operation
- 7.7 Use with MACsec to support virtual shared media infrastructure LANs [Go to Page]
- 7.7.1 Assumptions and requirements
- 7.7.2 System configuration and operation
- 8. Authentication using EAP [Go to Page]
- 8.1 PACP Overview
- 8.2 Example EAP exchanges
- 8.3 PAE higher layer interface
- 8.4 PAE Client interface
- 8.5 EAPOL transmit and receive
- 8.6 Supplicant and Authenticator PAE timers
- 8.7 Supplicant PACP state machine, variables, and procedures
- 8.8 Supplicant PAE counters
- 8.9 Authenticator PACP state machine, variables, and procedures
- 8.10 Authenticator PAE counters
- 8.11 EAP methods [Go to Page]
- 8.11.1 MKA and EAP methods
- 8.11.2 Integration with IEEE Std 802.1AR and EAP methods
- 9. MACsec Key Agreement protocol (MKA) [Go to Page]
- 9.1 Protocol design requirements
- 9.2 Protocol support requirements [Go to Page]
- 9.2.1 Random number generation
- 9.2.2 SC identification
- 9.3 MKA key hierarchy [Go to Page]
- 9.3.1 CAK identification
- 9.3.2 CAK Independence
- 9.3.3 Derived keys
- 9.4 MKA transport [Go to Page]
- 9.4.1 Message authentication
- 9.4.2 Member identification and message numbers
- 9.4.3 Determining liveness
- 9.4.4 MKPDU information elements and application data
- 9.4.5 Addressing
- 9.5 Key server election [Go to Page]
- 9.5.1 MKPDU application data
- 9.6 Use of MACsec [Go to Page]
- 9.6.1 MKPDU application data
- 9.7 Cipher suite selection [Go to Page]
- 9.7.1 MKPDU application data
- 9.8 SAK generation, distribution, and selection [Go to Page]
- 9.8.1 SAK generation
- 9.8.2 Use of AES Key Wrap
- 9.8.3 MKPDU application data
- 9.9 SA assignment [Go to Page]
- 9.9.1 MKPDU application data
- 9.10 SAK installation and use [Go to Page]
- 9.10.1 MKPDU application data
- 9.11 Connectivity change detection
- 9.12 CA formation and group CAK distribution [Go to Page]
- 9.12.1 Use of AES Key Wrap
- 9.12.2 MKPDU application data
- 9.13 Secure announcements [Go to Page]
- 9.13.1 MKPDU application data
- 9.14 MKA participant creation and deletion
- 9.15 MKA participant timer values
- 9.16 MKA management
- 9.17 MKA SAK distribution examples [Go to Page]
- 9.17.1 Two participants
- 9.17.2 Another participant joins
- 10. Network announcements [Go to Page]
- 10.1 Announcement information
- 10.2 Making and requesting announcements
- 10.3 Receiving announcements
- 10.4 Managing announcements
- 11. EAPOL PDUs [Go to Page]
- 11.1 EAPOL PDU transmission, addressing, and protocol identification [Go to Page]
- 11.1.1 Destination MAC address
- 11.1.2 Source MAC address
- 11.1.3 Priority
- 11.1.4 Ethertype use and encoding
- 11.2 Representation and encoding of octets
- 11.3 Common EAPOL PDU structure [Go to Page]
- 11.3.1 Protocol Version
- 11.3.2 Packet Type
- 11.3.3 Packet Body Length
- 11.3.4 Packet Body
- 11.4 Validation of received EAPOL PDUs
- 11.5 EAPOL protocol version handling
- 11.6 EAPOL-Start
- 11.7 EAPOL-Logoff
- 11.8 EAPOL-EAP
- 11.9 EAPOL-Key
- 11.10 EAPOL-Encapsulated-ASF-Alert
- 11.11 EAPOL-MKA [Go to Page]
- 11.11.1 MKA parameter encoding
- 11.11.2 Validation of MKPDUs
- 11.11.3 Encoding MKPDUs
- 11.11.4 Decoding MKPDUs
- 11.12 EAPOL-Announcement [Go to Page]
- 11.12.1 Network Identity (NID) Set TLV
- 11.12.2 Access Information TLV
- 11.12.3 MACsec Cipher Suites TLV
- 11.12.4 Key Management Domain TLV
- 11.12.5 Organizationally Specific and Organizationally Specific Set TLVs
- 11.12.6 Validation of EAPOL-Announcements
- 11.12.7 Encoding EAPOL-Announcements
- 11.12.8 Decoding EAPOL-Announcements
- 11.13 EAPOL-Announcement-Req
- 12. PAE operation [Go to Page]
- 12.1 Model of operation
- 12.2 KaY interfaces
- 12.3 CP state machine interfaces
- 12.4 CP state machine [Go to Page]
- 12.4.1 CP state machine variables and timers
- 12.5 Logon Process [Go to Page]
- 12.5.1 Session statistics
- 12.6 CAK cache
- 12.7 Virtual port creation and deletion
- 12.8 EAPOL Transmit and Receive Process [Go to Page]
- 12.8.1 EAPOL frame reception statistics
- 12.8.2 EAPOL frame reception diagnostics
- 12.8.3 EAPOL frame transmission statistics
- 12.9 PAE management [Go to Page]
- 12.9.1 System level PAE management
- 12.9.2 Identifying PAEs and their capabilities
- 12.9.3 Initialization
- 13. PAE MIB [Go to Page]
- 13.1 The Internet Standard Management Framework
- 13.2 Structure of the MIB
- 13.3 Relationship to other MIBs [Go to Page]
- 13.3.1 System MIB Group
- 13.3.2 Relationship to the Interfaces MIB
- 13.3.3 Relationship to the MAC Security MIB
- 13.4 Security considerations
- 13.5 Definitions for PAE MIB
- Annex A (normative) PICS proforma [Go to Page]
- A.1 Introduction
- A.2 Abbreviations and special symbols
- A.3 Instructions for completing the PICS proforma
- A.4 PICS proforma for IEEE 802.1X
- A.5 Major capabilities and options
- A.6 PAE requirements and options
- A.7 Supplicant requirements and options
- A.8 Authenticator requirements and options
- A.9 MKA requirements and options
- A.10 Announcement transmission requirements
- A.11 Announcement reception requirements
- A.12 Management and remote management
- A.13 Virtual ports
- A.14 PAC
- Annex B (informative) Bibliography
- Annex C (normative) State diagram notation
- Annex D (normative) Basic architectural concepts and terms [Go to Page]
- D.1 Protocol entities, peers, layers, services, and clients
- D.2 Service interface primitives, parameters, and frames
- D.3 Layer management interfaces
- D.4 Service access points, interface stacks, and ports
- D.5 Media independent protocols and shims
- D.6 MAC Service clients
- D.7 Stations and systems
- D.8 Connectionless connectivity and connectivity associations
- Annex E (informative) IEEE 802.1X EAP and RADIUS usage guidelines [Go to Page]
- E.1 EAP Session-Id
- E.2 RADIUS Attributes for IEEE 802 Networks
- Annex F (informative) Support for ‘Wake-on-LAN’ protocols
- Annex G (informative) Unsecured multi-access LANs
- Annex H (informative) Test vectors [Go to Page]
- H.1 KDF
- H.2 CAK Key Derivation
- H.3 CKN Derivation
- H.4 KEK Derivation
- H.5 ICK Derivation
- H.6 SAK Derivation
- Annex I (informative) IEEE list of participants
- Blank Page [Go to Page]