Imagine an exclusive club with a bouncer. 802.1x is like a fancy way for the club (your network) to check if someone (a device) trying to enter is really on the guest list (authorized). Here's the breakdown:
- Bouncer (Authenticator): This is a device like a switch or router that controls access to the network.
- Guest List (Authentication Server): This is a central database that stores who is allowed on the network (usernames, passwords, etc.).
- Secret Handshake (EAP): This is a secure conversation between the device and the authenticator to prove its identity.
- Device asks to join: A device trying to connect to the network sends a request.
- Bouncer challenges: The authenticator stops the device and asks it to prove it belongs.
- Secret handshake: The device uses EAP to talk to the authentication server and prove its identity (using username/password, certificate, etc.).
- Bouncer checks list: The authentication server checks the guest list and tells the authenticator if the device is allowed.
- Access granted (or denied): If authorized, the device gets access to the network. If not, it's denied entry.
Sticking MAC Addresses to Ports (sort of)
MAC addresses are unique identifiers for devices, like a fingerprint for your network card. You might think of "sticking" a MAC address to a port like assigning a seat at the club to a specific person. This is called MAC Authentication.
However, it's not as secure as 802.1x. Anyone can spoof (fake) a MAC address, so it's like showing a fake ID to get in. 802.1x is better because it checks with a central list, making it harder to cheat.
- MAC Authentication: Like giving a regular to the club a specific bar stool, but anyone can wear a disguise to try and claim it.
- 802.1x: Like having the bouncer check IDs before letting anyone sit at any stool.
While MAC Authentication can be used with 802.1x for extra security, 802.1x with username/password or certificates is generally more secure.
802.1x itself doesn't have a limit on the number of MAC addresses it can handle. It's a protocol for device authentication, not a mechanism for limiting access based on the number of devices.
Port Security : This feature, often used in conjunction with 802.1x, allows you to set a maximum number of allowed MAC addresses on a specific switch port.
- 802.1x Authentication: This verifies the identity of a device trying to connect to the network. It uses a secure "handshake" with a central server to confirm if the device is authorized.
- Port Security with MAC Limit: This adds another layer of control on individual switch ports. You can configure a maximum number of allowed MAC addresses. When a device attempts to connect, the switch checks its MAC address against the list. If the address is authorized (either pre-configured or learned through dynamic sticky MAC), and there's space under the limit, the device connects. If the limit is reached or the address isn't authorized, the device is denied access.
Dynamic Sticky MAC with Port Security:
- This combines automatic learning of authorized devices (dynamic sticky MAC) with a limit on the number of allowed addresses (port security).
- When a new device with valid credentials connects via 802.1x, its MAC address is learned if the port allows dynamic sticky MAC.
- This allows the device to connect again in the future, even if it isn't pre-configured on the list, as long as it stays within the port's MAC limit.
- 802.1x authenticates devices, not limited by MAC addresses.
- Port Security with a MAC limit restricts the number of devices connecting to a specific port.
- Dynamic Sticky MAC automates learning authorized devices within the port security limit.
- 802.1x is the bouncer checking IDs at the door.
- Port security is the door itself, with a capacity limit.
- Dynamic sticky MAC remembers past guests who showed valid IDs (within the door's capacity).
Remember, even with dynamic sticky MAC and port security, it's crucial to use strong authentication methods like 802.1x with usernames/passwords or certificates for a robust network defence.
