Interoperability Solution for IEEE 802.1X based Authentication unsupported Customer Premises Equipment
17 October 2019
8021x based authentication enables node devices in network to perform AAA operation (Authentication, Authorization and Accounting). Authentication is made possible by a handshake mechanism between the node device and the CPE connected by means of a challenge of request and response exchange. The node device sends out a challenge request for which the CPE is expected to respond with an appropriate response message. On reception of a valid expected response from the CPE the node device processes and allows further traffic from the CPE to proceed further. The issue of interoperability comes in to picture when the CPE connected to the node device is not capable of responding to the challenge request sent by the node device to authenticate the CPE. The node device will consider this as an authentication failure and blocks further traffic from the CPE on that port which will render 8021x authentication not feasible for the port where the CPE is connected. This will force the operator to disable 8021x authentication on the port to support interoperability with the CPE connected. When the node device has a mix of 8021x supported and 8021x unsupported CPEs connected the operator can only enable 8021x authentication for the ports connected to CPEs supporting 8021x authentication and not on the ports connected to 8021x unsupported CPEs. This will cause inconsistency in the system in terms of security as some ports will be left unauthenticated. The solution to this interoperability inconsistency can be obtained by the process of Eligible To Learn, where a MAC can be configured as ETL on the port. On receiving a packet on the port with a MAC configured as ETL the node device will process the packet irrespective of the 8021x authentication status. This will provide an option for the operator where he can enable 8021x authentication for the entire system and for the ports which are connected to CPEs which are not capable of performing authentication handshake, the operator can configure the device MAC as ETL. This will remove the authentication inconsistency in the system, providing 8021x interoperability solution