Chapter 65 Β· Flashcards

Port Security Flashcards

Click any card to reveal its definition.

0 / 10 flipped
Port Security
Tap to reveal
Authentication controls applied to individual switch interfaces and wireless access point connections that prevent any device from accessing network resources until it has successfully authenticated. Works on both wired and wireless. The underlying framework is EAP; the access control standard is IEEE 802.1X. Physical connectivity alone is not sufficient β€” the device must also prove its identity before the port opens for normal traffic.
EAP β€” Extensible Authentication Protocol
Tap to reveal
An authentication framework that defines how authentication information is carried between a client and an authentication server, without prescribing any single authentication method. EAP is flexible: many methods (certificate-based, password-based, tunneled) can be encapsulated inside it. Integrates with 802.1X to enforce network access control. The method used determines whether a certificate, password, or other credential is required.
IEEE 802.1X
Tap to reveal
The IEEE standard for Port-based Network Access Control (NAC). Enforces a single rule: no device gets normal network access until authentication succeeds. The port is held in a blocked state (EAP messages only) until the authenticator receives an Access-Accept from the authentication server. Works on both wired switch ports and wireless access points. EAP carries the authentication credentials; 802.1X enforces the access decision.
Supplicant
Tap to reveal
The client device requesting network access in an 802.1X exchange. It provides credentials (username/password, certificate, or other) in response to authentication challenges from the authenticator. Examples: employee laptop, smartphone, workstation, IoT device. 802.1X supplicant software is built into Windows, macOS, iOS, and Android. The supplicant does not control port state β€” it only provides credentials.
Authenticator
Tap to reveal
The network device (switch or wireless access point) that controls access to the network in 802.1X. It intercepts the supplicant's connection, blocks the port for normal traffic, challenges the supplicant for credentials, relays those credentials to the authentication server, and then opens or keeps closed the port based on the server's decision. The authenticator does NOT validate credentials β€” it is a relay and enforcer, not a validator. All credential intelligence is in the authentication server.
Authentication Server
Tap to reveal
The back-end system that validates credentials supplied by the supplicant. Compares credentials against an identity database (Active Directory, LDAP directory, RADIUS database) and returns Access-Accept or Access-Reject to the authenticator. Typically implemented as a RADIUS server integrated with Active Directory. The only component in 802.1X that knows whether credentials are valid. Centralizes authentication intelligence β€” thousands of switches and APs defer to this single authority.
RADIUS in 802.1X
Tap to reveal
The protocol used by the authenticator (switch/AP) to communicate with the authentication server. Handles Authentication (credential verification), Authorization (what access should this device get β€” including VLAN assignment), and Accounting (log the connection event: who, where, when, how long). The RADIUS server validates credentials against Active Directory or LDAP. A single RADIUS server can serve thousands of switches and access points, enabling enterprise-wide centralized authentication policy management.
EAP-TLS
Tap to reveal
The most secure EAP method β€” mutual certificate-based authentication. Both the client device and the authentication server present digital certificates. Client verifies the server's certificate; server verifies the client's certificate. No password is ever transmitted. Strongest authentication because it verifies device identity (not just user credentials). Deployment cost: every client device needs a certificate from an internal CA (PKI required). Best for high-security environments where device-level identity matters as much as user identity.
PEAP β€” Protected EAP
Tap to reveal
The most widely deployed enterprise EAP method. Creates a TLS-encrypted tunnel using only a server certificate (no client certificate required), then carries an inner MSCHAPv2 (username/password) authentication inside the tunnel. User credentials are never exposed in plaintext. Natively supported by Windows, macOS, iOS, and Android β€” no additional supplicant software needed. Lower deployment complexity than EAP-TLS (no client certs). Trade-off: authenticates the user by password β€” does not verify the device independently of the user.
MAC Authentication Bypass (MAB)
Tap to reveal
A fallback mechanism for devices that cannot support 802.1X supplicant software (legacy printers, IP cameras, embedded systems). The switch sends the device's MAC address to the RADIUS server as the authentication credential. RADIUS checks it against a list of pre-approved MAC addresses β€” if matched, returns Access-Accept. Weaker than EAP because MAC addresses can be spoofed. Should be used only for devices that genuinely cannot do 802.1X, combined with VLAN segmentation to limit what MAB devices can access.