Which protocol provides port-based access control and authentication?
IEEE 802.1X provides port-based access control and authentication.
IEEE 802.1X is a client-server based access control model. If IEEE 802.1X is enabled on a switch interface, the interface is in an unauthorized state until it is authenticated. Until the station is authenticated, the only protocols allowed through switch ports are:
EAP-over-LAN (EAPOL is the only type of traffic accepted from a station)
The supplicant PAE sends EAPOL packets that indicate its request for access through the switch to the LAN. The switch performs the authenticator role by processing the EAPOL packets from the port-attached supplicant PAE and forwarding an authentication request to the authentication server. The only supported authentication server is a Remote Access Dial-In User Server (RADIUS) server with EAP extensions. The authentication server checks the identity of the client (the supplicant PAE) and will either accept or reject the request. If the server accepts the request, the port is authorized and the switch will send and receive all frames. If it fails, only EAPOL packets will continue to be processed. Once the client is finished with the connection, an EAPOL logoff is issued, and the switch port once again becomes unauthorized.
Below is a sample configuration to enable 802.1X authentication and enable it on an interface:
switch(config)# aaa new-model switch(config)# aaa authentication dot1x default group radius switch(config)# dot1x system-auth-control switch(config-if)# dot1x port-control auto
802.1w is the standard for Rapid Spanning Tree Protocol (RSTP). It is not related to port-based access control and authentication.
802.1P is a method for assigning priority to packets traversing a network. It is not related to port-based access control and authentication.
802.1Q describes VLAN tagging. It is not related to port-based access control and authentication.
Describe device security using Cisco IOS AAA with TACACS+ and RADIUS