Issue
Does Port Based Network Access Control Ethernet 802.1x apply to Continuum controllers?
Product Line
Andover Continuum
Environment
- Continuum Ethernet Controllers
- Cyberstation
Cause
A question that may be asked by Customers IT Departments
Resolution
No, the 802.1x protocol is not applicable to controllers, it is a Port based Network Access Control (PBNAC) that is used by Routers and computers.
It is related to the Operating system user accounts and policies so is above and outside the scope of Continuum.
Not all devices support 802.1X authentication. Examples include some network printers, Ethernet-based electronics like environmental sensors, cameras, and wireless phones. For those devices to be used in a protected network environment, alternative mechanisms must be provided to authenticate them. One option would be to disable 802.1X on that port, but that leaves that port unprotected and open for abuse. Another, slightly more reliable option is to use the MAB option. When MAB is configured on a port, that port will first try to check if the connected device is 802.1X compliant, and if no reaction is received from the connected device, it will try to authenticate with the AAA server using the connected device's MAC address as username and password. The network administrator then must make provisions on the RADIUS server to authenticate those MAC-addresses, either by adding them as regular users, or implementing additional logic to resolve them in a network inventory database. Many managed Ethernet switches offer options for this.
Network Security is an available option add on for IP level controllers. Please refer to IPSEC and Network Security on Controllers for more information.
Another potential option would be to secure the controllers on a separate VLAN.
