- MVE Technical Blog - (index page)
Wm Magill - June 20, 2018
The field of Computer Networking is extensive, complex, pervasive, hidden and largely unknown to the general population.
It is part of the "infrastructure" just like water-mains, electric lines and streets and highways.
Therefore, this series of technical notes covers a lot of material that is likely not part of your everyday conversation if you are not "in the business", but which impacts your use of "the net" every day. And, just to throw some more gasoline on the fire, how you use the net is also changing every day as these technologies change!
IEEE 802.1X is a communications protocol which provides an "Authentication" mechanism to devices wishing to attach to MVNet. That device, referred to as a "supplicant," might be a Smartphone, Tablet, Laptop, or Desktop Computer.
It is a "Query-Response" protocol. That is, MVNet makes a query and your device must respond appropriately in order to gain access to MVNet.
The term 'supplicant' is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point.
The authenticator acts like a security guard for MVNet. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized.
The "credentials" for MVNet are the Userid and Password issued to the MV Resident when they subscribed to the MVNet Communications Package.
The supplicant provides credentials to the authenticator, and the authenticator forwards the credentials to the authentication (RADIUS) server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.
- AAA protocol, "Authentication, Authorization and Accounting," an access control, policy enforcement and auditing framework for computing systems.For a full discussion of AAA see the article: MVNet-3: What is RADIUS?
- Network Authentication - is accomplished on MVNet primarily by the use of a Userid and Password.
Access to MVNet must be "Authorized" in advance, by subscribing to the appropriate communications package. At the time of subscription, you will be issued a Userid and TEMPORARY Password to identify yourself to MVNet. This Userid is uniquely assigned to you and cannot be changed by the subscriber, only by the Network Administrator. The Password as issued, however is temporary and can be changed by the subscriber at will.
One of your first actions on MVNet should be to change that temporary password to one which is uniquely yours. A good password should be at least 12 characters in length, contain a mix of upper and lower case characters, and at least one non-alphabetic character.
Unlike Userids, Passwords ARE case sensitive!
This Userid and Password combination is how your device identifies itself to MVNet, which in turn then allows or denies that device access to the Network. For most devices this authentication involves presenting a Userid and Password to the Network Authentication (RADIUS) Server.
Note that this identification is strictly for the DEVICE. Anyone possessing a valid Userid and Password can connect to MVNet with the same device. Conversely, using your Userid and Password, you can use any device to connect to the MVNet. It also means that, once Authenticated, that device can be used by anyone - not exclusively by the subscriber to whom the the Userid and Password were issued i.e. co-habitants, a husband and wife, visiting children, grandchildren, etc.
Certain devices, typically WiFi attached printers, have no knowledge of, or capability to respond to, an authentication query with a Userid and Password. Therefore, a different mechanism must be used. For such devices, a MAC address is used. [The MAC (Media Access Control) address of a device is a unique identifier assigned to a network interface controller (NIC) - for WiFi or Ethernet, etc. - for communications at the data link layer of a network segment.] Just as with a Userid, the MAC address must be identified to the network at subscription time. Such devices will be assigned to connect to the WiFi network DevicesMVnet.