The 802.1X standard (i.e., 802.1X) of the Institute of Electrical & Electronics Engineers (IEEE) is a standard for facilitating network access control. It offers an effective framework for authenticating and controlling user traffic in data networks such as, for example, a Passive Optical Networks (PON), a WiFi wireless network and the like. The underlying functionality of 802.1X is that it keeps a network port disabled (e.g., to a certain type of traffic) until authentication is completed. Such a network port, which is under control of 802.1X, is referred to herein as the controlled port. Depending on the results, the controlled port is either made available to all traffic or remains disabled for at least a portion of traffic.
802.1X uses Extensible Authentication Protocol (EAP) for passing authentication messages. “EAP Over LAN” (EAPoL) is specifically configured for packet networks such as Ethernet. 802.1X uses EAPoL to start and end an authentication session and pass EAP messages between a supplicant and an authenticator and from the supplicant to an authentication server via the authenticator. Remote Authentication Dial In User Service (RADIUS) protocol is a typical protocol used for sending EAP messages from the authenticator to the authentication server. The supplicant is an entity (e.g., a user or client) requesting access to a network, the authenticator is the network device (e.g., an access point (AP), an network access server (NAS) or the like) that provides the network port to the supplicant and the authentication server is the server that provides authentication. In some networks (e.g., relatively small networks), the authentication server is often located in the same network element as the authenticator.
In a conventional manner, initial 802.1X authentication functionality begins with a supplicant attempting to connect with an authenticator. The authenticator responds by enabling a port (i.e., a controlled port) for passing only EAP packets from the client to an authentication server. The authenticator blocks all other traffic, such as HTTP, DHCP, and POP3 packets, until the authenticator can verify the supplicant's identity. The authenticator interacts with an authentication server for facilitating authentication of the supplicant's identity. Once the supplicant's identity is successfully authenticated, the authenticator opens the controlled port for other types of traffic.
Conventional approaches for implementing authentication via 802.1X are limited in that full functionality is too costly and too complex for low power, low cost devices. For example, an Optical Network Terminal (ONT) of a PON is intentionally designed as a relatively low-cost, low-power device with relatively high data plane packet processing functionality and with relatively limited control plane functionality. Accordingly, running full authenticator Port Access Entity (PAE) functionality on a ONT via 802.1X would require a host IP stack on the ONT with RADIUS client functionality, thereby necessitating stringent security and processing power requirements at the ONT as well as increasing cost and complexity of the ONT.
Therefore, an approach for enabling cost efficient implementation of authentication via 802.1X in a relatively low power, low cost device would be useful and advantageous.