Port-based Network Access Control

Port-based access control enables authenticated network access for local
area Ethernetworks. It uses the physical components of a switched LAN network so it can offer a method of authenticating devices connected to a
specific LAN port. This method effectively prevents access to that specific
port when there is no successful authentication.

A port access entity (LAN port) can take on specific roles with respect
to access controls, as authenticator or as supplicant.
The “authenticator” is the port that makes certain all entities are
authenticated before permitting access to services that can be accessed on
a given port. The authentication server (which can either be a separate
unit or have its functions within the authenticator) executes the authentication
method to inspect the “supplicant’s” credentials for the authenticator.
It then replies to the authenticator to determine if the supplicant is
authorized to access the authenticator’s services.

Port-based access comes into play with the authenticator with respect
to two logical access points to the LAN through one single LAN port:

1. The logical access point is an uncontrolled port that permits an
uncontrolled exchange between the authenticator and the other LAN
systems. This occurs irrespective of the system’s authorization.

2. A second logical access point is a controlled port that allows communication
between the LAN system and the authenticator services.
This happens only when you are dealing with an authorized system.