1、 Reference numberISO/IEC/IEEE 8802-1X:2013(E)IEEE 2010INTERNATIONAL STANDARD ISO/IEC/IEEE8802-1XFirst edition2013-12-01Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Part 1X: Port-based network access control Technologies de li
2、nformation Tlcommunications et change dinformation entre systmes Rseaux locaux et mtropolitains Partie 1X: Contrle daccs au rseau bas sur le port ISO/IEC/IEEE 8802-1X:2013(E) COPYRIGHT PROTECTED DOCUMENT IEEE 2010 All rights reserved. Unless otherwise specified, no part of this publication may be re
3、produced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without permission in writing from ISO, IEC or IEEE at the respective address below. ISO copyright office IEC Central Office Institute of Electrica
4、l and Electronics Engineers, Inc. Case postale 56 3, rue de Varemb 3 Park Avenue, New York CH-1211 Geneva 20 CH-1211 Geneva 20 NY 10016-5997, USA Tel. + 41 22 749 01 11 Switzerland E-mail stds.iprieee.org Fax + 41 22 749 09 47 E-mail inmailiec.ch Web www.ieee.org E-mail copyrightiso.org Web www.iec.
5、ch Web www.iso.org Published in Switzerland ii IEEE 2010 All rights reservedISO/IEC/IEEE 8802-1X:2013(E) IEEE 2010 All rights reserved iiiForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwid
6、e standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fi
7、elds of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. IEEE Standards documents are develo
8、ped within the IEEE Societies and the Standards Coordinating Committees of the IEEE Standards Association (IEEE-SA) Standards Board. The IEEE develops its standards through a consensus development process, approved by the American National Standards Institute, which brings together volunteers repres
9、enting varied viewpoints and interests to achieve the final product. Volunteers are not necessarily members of the Institute and serve without compensation. While the IEEE administers the process and establishes rules to promote fairness in the consensus development process, the IEEE does not indepe
10、ndently evaluate, test, or verify the accuracy of any of the information contained in its standards. The main task of ISO/IEC JTC 1 is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication
11、as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is called to the possibility that implementation of this standard may require the use of subject matter covered by patent rights. By publication of this standard, no position is taken wit
12、h respect to the existence or validity of any patent rights in connection therewith. ISO/IEEE is not responsible for identifying essential patents or patent claims for which a license may be required, for conducting inquiries into the legal validity or scope of patents or patent claims or determinin
13、g whether any licensing terms or conditions provided in connection with submission of a Letter of Assurance or a Patent Statement and Licensing Declaration Form, if any, or in any licensing agreements are reasonable or non-discriminatory. Users of this standard are expressly advised that determinati
14、on of the validity of any patent rights, and the risk of infringement of such rights, is entirely their own responsibility. Further information may be obtained from ISO or the IEEE Standards Association. ISO/IEC/IEEE 8802-1X was prepared by the LAN/MAN Standards Committee of the IEEE Computer Societ
15、y (as IEEE Std 802.1X-2010). It was adopted by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 6, Telecommunications and information exchange between systems, in parallel with its approval by the ISO/IEC national bodies, under the “fast-track procedure” defined in th
16、e Partner Standards Development Organization cooperation agreement between ISO and IEEE. IEEE is responsible for the maintenance of this document with participation and input from ISO/IEC national bodies. ISO/IEC/IEEE 8802 consists of the following parts, under the general title Information technolo
17、gy Telecommunications and information exchange between systems Local and metropolitan area networks: Part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications Part 1X: Port-based network access control Part 1AE: Media access control (MAC) security Part 15-4: Wireless
18、medium access control (MAC) and physical layer (PHY) specifications for low-rate wireless personal area networks (WPANs) ISO/IEC/IEEE 8802-1X:2013(E) iv IEEE 2010 All rights reserved(Blank page) g44g40g40g40g3g54g87g71g3g27g19g21g17g20g59g140g16g21g19g20g19g11g53g72g89g76g86g76g82g81g3g82g73g44g40g4
19、0g40g3g54g87g71g3g27g19g21g17g20g59g16g21g19g19g23g12g3g44g40g40g40g3g54g87g68g81g71g68g85g71g3g73g82g85g3 g47g82g70g68g79g3g68g81g71g3g80g72g87g85g82g83g82g79g76g87g68g81g3g68g85g72g68g3g81g72g87g90g82g85g78g86g178g3g51g82g85g87g16g37g68g86g72g71g3g49g72g87g90g82g85g78g3g36g70g70g72g86g86g3g38g82g8
20、1g87g85g82g79g44g40g40g40g3g38g82g80g83g88g87g72g85g3g54g82g70g76g72g87g92g54g83g82g81g86g82g85g72g71g3g69g92g3g87g75g72g47g36g49g18g48g36g49g3g54g87g68g81g71g68g85g71g86g3g38g82g80g80g76g87g87g72g72g44g40g40g40g22g3g51g68g85g78g3g36g89g72g81g88g72g3g49g72g90g3g60g82g85g78g15g3g49g60g3g20g19g19g20g2
21、5g16g24g28g28g26g15g3g56g54g36g3g3g24g3g41g72g69g85g88g68g85g92g3g21g19g20g19g27g19g21g17g20g59g55g48g44g54g50g18g44g40g38g18g44g40g40g40g3g27g27g19g21g16g20g59g29g21g19g20g22g11g40g12Copyright 2010 IEEE. All rights reserved. vg44g54g50g18g44g40g38g18g44g40g40g40g3g27g27g19g21g16g20g59g29g21g19g20g2
22、2g11g40g12(Blank page) vi Copyright 2010 IEEE. All rights reserved.IEEE Std 802.1X-2010(Revision ofIEEE Std 802.1X-2004)IEEE Standard for Local and metropolitan area networksPort-Based Network Access ControlSponsorLAN/MAN Standards Committeeof theIEEE Computer SocietyApproved 2 February 2010IEEE-SA
23、Standards Boardg44g54g50g18g44g40g38g18g44g40g40g40g3g27g27g19g21g16g20g59g29g21g19g20g22g11g40g12Copyright 2010 IEEE. All rights reserved. viiAbstract: Port-based network access control allows a network administrator to restrict the use ofIEEE 802LAN service access points (ports) to secure communic
24、ation between authenticated andauthorized devices. This standard specifies a common architecture, functional elements, andprotocols that support mutual authentication between the clients of ports attached to the same LANand that secure communication between the ports, including the media access meth
25、odindependent protocols that are used to discover and establish the security associations used byIEEE 802.1AEMAC Security.Keywords: access control, authentication, authorization, controlled port, key agreement, LANs,local area networks, MAC security, MAC Service, MANs, metropolitan area networks, po
26、rt-basednetwork access control, secure association, security, service access point, uncontrolled port The Institute of Electrical and Electronics Engineers, Inc.3 Park Avenue, New York, NY 10016-5997, USACopyright 2010 by the Institute of Electrical and Electronics Engineers, Inc.All rights reserved
27、. Published 5 February 2010. Printed in the United States of AmericaIEEE and 802 are registered trademarks in the U.S. Patent +1 978 750 8400. Permission to photocopy portions of any individual standard for educationalclassroom use can also be obtained through the Copyright Clearance Center.g44g54g5
28、0g18g44g40g38g18g44g40g40g40g3g27g27g19g21g16g20g59g29g21g19g20g22g11g40g12Copyright 2010 IEEE. All rights reserved. ixCopyright 2010 IEEE. All rights reserved.IntroductionPort-based network access control allows a network administrator to restrict the use of IEEE 802 LANservice access points (ports
29、) to secure communication between authenticated and authorized devices. IEEEStd 802.1X specifies an architecture, functional elements, and protocols that support mutual authenticationbetween the clients of ports attached to the same LAN and secure communication between the ports.The first edition of
30、 IEEE Std 802.1X was published in 2001. The second edition, IEEE Std 802.1X-2004,clarified areas related to mutual authentication and the interface between IEEE 802.1X specified statemachine, and those specified by the Extensible Authentication Protocol (EAP), and by IEEE Std 802.11insupport of IEEE
31、 Std 802.1X.Work on this edition, IEEE Std 802.1X-2010, began as IEEE P802.1afan amendment to specifyauthenticated key agreement in support of IEEE 802.1AE MAC Security. Part of that work clarified andgeneralized the relationship between the common architecture specified for port-based network acces
32、scontrol, and the functional elements and protocols that support that architecture as specified in IEEE Std802.1X, other IEEE 802 Standards, and in IETF RFCs. The extent of the changes necessary to IEEE Std802.1X-2004 made it appropriate to revise IEEE Std 802.1X as a whole. Further changes updated
33、thestandard to reflect best current practice, insisting, for example, upon mutual authentication methods andusing such methods in examples. A greater emphasis is placed on the security of systems accessing thenetwork, as well as upon the security of the network accessed, and some prior provisions, s
34、uch as thecontrolled directions parameters, have been removed and replaced with a more comprehensive treatmentof segregating and limiting connectivity to unauthenticated systems.Every effort has been made to maintain interoperability, without prior configuration, with implementationsconforming to IE
35、EE Std 802.1X-2004 and IEEE Std 802.1X-2001. However it is anticipated that claims ofconformance in respect of some existing implementations will continue to refer to IEEE Std 802.1X-2004.Changes to the functionality provided by that prior edition and its documentation include those detailed inthe f
36、ollowing paragraph.This edition, IEEE Std 802.1X-2010, describes applications of port-based network access that use IEEE802.1AE MAC Security (MACsec) and/or MKA (MACsec Key Agreement protocol) as well as thosepreviously supported. The specification of the use of EAP for authentication has been updat
37、ed, enforcing astricter separation between the port access control protocol (PACP), local to the Supplicant andAuthenticator, and the EAP state machines proper. Details of particular EAP methods are no longerinterpreted by the PACP machines. The existing EAPOL (EAP over LANs) PDU formats have not be
38、enmodified, but additional EAPOL PDUs have been added to support MKA and the specification of EAPOLimproved. The bibliography, previously Annex F, has been moved to Annex B. The discussions previouslyin Annex B and Annex C have been updated and integrated into the main body of the standard. The stat
39、emachine diagram and language conventions, now used by a number of clauses in the standard, have beenmoved to a new Annex C.Notice to usersLaws and regulationsUsers of these documents should consult all applicable laws and regulations. Compliance with theprovisions of this standard does not imply co
40、mpliance to any applicable regulatory requirements.This introduction is not part of IEEE Std 802.1X-2010, IEEE Standard for Local and Metropolitan Area NetworksPort-Based Network Access Control.g44g54g50g18g44g40g38g18g44g40g40g40g3g27g27g19g21g16g20g59g29g21g19g20g22g11g40g12xCopyright 2010 IEEE. A
41、ll rights reserved. Implementers of the standard are responsible for observing or referring to the applicable regulatoryrequirements. IEEE does not, by the publication of its standards, intend to urge action that is not incompliance with applicable laws, and these documents may not be construed as d
42、oing so. CopyrightsThis document is copyrighted by the IEEE. It is made available for a wide variety of both public and privateuses. These include both use, by reference, in laws and regulations, and use in private self-regulation,standardization, and the promotion of engineering practices and metho
43、ds. By making this documentavailable for use and adoption by public authorities and private users, the IEEE does not waive any rights incopyright to this document.Updating of IEEE documentsUsers of IEEE standards should be aware that these documents may be superseded at any time by theissuance of ne
44、w editions or may be amended from time to time through the issuance of amendments,corrigenda, or errata. An official IEEE document at any point in time consists of the current edition of thedocument together with any amendments, corrigenda, or errata then in effect. In order to determine whethera gi
45、ven document is the current edition and whether it has been amended through the issuance ofamendments, corrigenda, or errata, visit the IEEE Standards Association website at http:/ieeexplore.ieee.org/xpl/standards.jsp, or contact the IEEE at the address listed previously.For more information about t
46、he IEEE Standards Association or the IEEE standards development process,visit the IEEE-SA website at http:/standards.ieee.org.ErrataErrata, if any, for this and all other standards can be accessed at the following URL: http:/standards.ieee.org/reading/ieee/updates/errata/index.html. Users are encour
47、aged to check this URL forerrata periodically.InterpretationsCurrent interpretations can be accessed at the following URL: http:/standards.ieee.org/reading/ieee/interp/index.html.PatentsAttention is called to the possibility that implementation of this amendment may require use of subjectmatter cove
48、red by patent rights. By publication of this amendment, no position is taken with respect to theexistence or validity of any patent rights in connection therewith. The IEEE is not responsible for identifyingEssential Patent Claims for which a license may be required, for conducting inquiries into th
49、e legal validityor scope of Patents Claims or determining whether any licensing terms or conditions provided in connectionwith submission of a Letter of Assurance, if any, or in any licensing agreements are reasonable or non-discriminatory. Users of this amendment are expressly advised that determination of the validity of anypatent rights, and the risk of infringement of such rights, is entirely their own responsibility. Furtherinformation may be obtained from the IEEE Standards Association.g44g54g50g18g44g40
