1、 Reference number ISO/IEC/IEEE 8802-1X:2013(E) IEEE 2010INTERNATIONAL STANDARD ISO/IEC/ IEEE 8802-1X First edition 2013-12-01 Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Part 1X: Port-based network access control Technologie
2、s de linformation Tlcommunications et change dinformation entre systmes Rseaux locaux et mtropolitains Partie 1X: Contrle daccs au rseau bas sur le port ISO/IEC/IEEE 8802-1X:2013(E) COPYRIGHT PROTECTED DOCUMENT IEEE 2010 All rights reserved. Unless otherwise specified, no part of this publication ma
3、y be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without permission in writing from ISO, IEC or IEEE at the respective address below. ISO copyright office IEC Central Office Institute of El
4、ectrical and Electronics Engineers, Inc. Case postale 56 3, rue de Varemb 3 Park Avenue, New York CH-1211 Geneva 20 CH-1211 Geneva 20 NY 10016-5997, USA Tel. + 41 22 749 01 11 Switzerland E-mail stds.iprieee.org Fax + 41 22 749 09 47 E-mail inmailiec.ch Web www.ieee.org E-mail copyrightiso.org Web w
5、ww.iec.ch Web www.iso.org Published in Switzerland ii IEEE 2010 All rights reservedISO/IEC/IEEE 8802-1X:2013(E) IEEE 2010 All rights reserved iiiForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for w
6、orldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborat
7、e in fields of mutual interest. Other international organizations, governmental and non- governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. IEEE Standards documents ar
8、e developed within the IEEE Societies and the Standards Coordinating Committees of the IEEE Standards Association (IEEE-SA) Standards Board. The IEEE develops its standards through a consensus development process, approved by the American National Standards Institute, which brings together volunteer
9、s representing varied viewpoints and interests to achieve the final product. Volunteers are not necessarily members of the Institute and serve without compensation. While the IEEE administers the process and establishes rules to promote fairness in the consensus development process, the IEEE does no
10、t independently evaluate, test, or verify the accuracy of any of the information contained in its standards. The main task of ISO/IEC JTC 1 is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publ
11、ication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is called to the possibility that implementation of this standard may require the use of subject matter covered by patent rights. By publication of this standard, no position is t
12、aken with respect to the existence or validity of any patent rights in connection therewith. ISO/IEEE is not responsible for identifying essential patents or patent claims for which a license may be required, for conducting inquiries into the legal validity or scope of patents or patent claims or de
13、termining whether any licensing terms or conditions provided in connection with submission of a Letter of Assurance or a Patent Statement and Licensing Declaration Form, if any, or in any licensing agreements are reasonable or non-discriminatory. Users of this standard are expressly advised that det
14、ermination of the validity of any patent rights, and the risk of infringement of such rights, is entirely their own responsibility. Further information may be obtained from ISO or the IEEE Standards Association. ISO/IEC/IEEE 8802-1X was prepared by the LAN/MAN Standards Committee of the IEEE Compute
15、r Society (as IEEE Std 802.1X-2010). It was adopted by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 6, Telecommunications and information exchange between systems, in parallel with its approval by the ISO/IEC national bodies, under the “fast-track procedure” defin
16、ed in the Partner Standards Development Organization cooperation agreement between ISO and IEEE. IEEE is responsible for the maintenance of this document with participation and input from ISO/IEC national bodies. ISO/IEC/IEEE 8802 consists of the following parts, under the general title Information
17、technology Telecommunications and information exchange between systems Local and metropolitan area networks: Part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications Part 1X: Port-based network access control Part 1AE: Media access control (MAC) security Part 15-4: W
18、ireless medium access control (MAC) and physical layer (PHY) specifications for low-rate wireless personal area networks (WPANs) ISO/IEC/IEEE 8802-1X:2013(E) iv IEEE 2010 All rights reserved(Blank page) Copyright 2010 IEEE. All rights reserved. v(Blank page) vi Copyright 2010 IEEE. All rights reserv
19、ed.IEEE Std 802.1X -2010 (Revision of IEEE Std 802.1X-2004) IEEE Standard for Local and metropolitan area networks Port-Based Network Access Control Sponsor LAN/MAN Standards Committee of the IEEE Computer Society Approved 2 February 2010 IEEE-SA Standards BoardCopyright 2010 IEEE. All rights reserv
20、ed. viiAbstract: Port-based network access control allows a network administrator to restrict the use of IEEE 802 LAN service access points (ports) to secure communication between authenticated and authorized devices. This standard specifies a common architecture, functional elements, and protocols
21、that support mutual authentication between the clients of ports attached to the same LAN and that secure communication between the ports, including the media access method independent protocols that are used to discover and establish the security associations used by IEEE 802.1AE MAC Security. Keywo
22、rds: access control, authentication, authorization, controlled port, key agreement, LANs, local area networks, MAC security, MAC Service, MANs, metropolitan area networks, port-based network access control, secure association, security, service access point, uncontrolled port The Institute of Electr
23、ical and Electronics Engineers, Inc. 3 Park Avenue, New York, NY 10016-5997, USA Copyright 2010 by the Institute of Electrical and Electronics Engineers, Inc. All rights reserved. Published 5 February 2010. Printed in the United States of America IEEE and 802 are registered trademarks in the U.S. Pa
24、tent +1 978 750 8400. Permission to photocopy portions of any individual standard for educational classroom use can also be obtained through the Copyright Clearance Center.Copyright 2010 IEEE. All rights reserved. ixCopyright 2010 IEEE. All rights reserved. IntroductionPort-based network access cont
25、rol allows a network administrator to restrict the use of IEEE 802 LAN service access points (ports) to secure communication between authenticated and authorized devices. IEEE Std 802.1X specifies an architecture, functional elements, and protocols that support mutual authentication between the clie
26、nts of ports attached to the same LAN and secure communication between the ports. The first edition of IEEE Std 802.1X was published in 2001. The second edition, IEEE Std 802.1X-2004, clarified areas related to mutual authentication and the interface between IEEE 802.1X specified state machine, and
27、those specified by the Extensible Authentication Protocol (EAP), and by IEEE Std 802.11 in support of IEEE Std 802.1X. Work on this edition, IEEE Std 802.1X-2010, began as IEEE P802.1af an amendment to specify authenticated key agreement in support of IEEE 802.1AE MAC Security. Part of that work cla
28、rified and generalized the relationship between the common architecture specified for port-based network access control, and the functional elements and protocols that support that architecture as specified in IEEE Std 802.1X, other IEEE 802 Standards, and in IETF RFCs. The extent of the changes nec
29、essary to IEEE Std 802.1X-2004 made it appropriate to revise IEEE Std 802.1X as a whole. Further changes updated the standard to reflect best current practice, insisting, for example, upon mutual authentication methods and using such methods in examples. A greater emphasis is placed on the security
30、of systems accessing the network, as well as upon the security of the network accessed, and some prior provisions, such as the controlled directions parameters, have been removed and replaced with a more comprehensive treatment of segregating and limiting connectivity to unauthenticated systems. Eve
31、ry effort has been made to maintain interoperability, without prior configuration, with implementations conforming to IEEE Std 802.1X-2004 and IEEE Std 802.1X-2001. However it is anticipated that claims of conformance in respect of some existing implementations will continue to refer to IEEE Std 802
32、.1X-2004. Changes to the functionality provided by that prior edition and its documentation include those detailed in the following paragraph. This edition, IEEE Std 802.1X-2010, describes applications of port-based network access that use IEEE 802.1AE MAC Security (MACsec) and/or MKA (MACsec Key Ag
33、reement protocol) as well as those previously supported. The specification of the use of EAP for authentication has been updated, enforcing a stricter separation between the port access control protocol (PACP), local to the Supplicant and Authenticator, and the EAP state machines proper. Details of
34、particular EAP methods are no longer interpreted by the PACP machines. The existing EAPOL (EAP over LANs) PDU formats have not been modified, but additional EAPOL PDUs have been added to support MKA and the specification of EAPOL improved. The bibliography, previously Annex F, has been moved to Anne
35、x B. The discussions previously in Annex B and Annex C have been updated and integrated into the main body of the standard. The state machine diagram and language conventions, now used by a number of clauses in the standard, have been moved to a new Annex C. Notice to users Laws and regulations User
36、s of these documents should consult all applicable laws and regulations. Compliance with the provisions of this standard does not imply compliance to any applicable regulatory requirements. This introduction is not part of IEEE Std 802.1X-2010, IEEE Standard for Local and Metropolitan Area NetworksPort-Based Network Access Control.x
