IEEE Std 802.1X-2020 pdf download

IEEE Std 802.1X-2020 pdf download.IEEE Standard forLocal and Metropolitan Area Networks-Port-Based Network Access Control.
5.11.3 CAK Cache
A PAE that implements a CAK Cache shall
a) Associate a lifetime with each cached CAK, deleting the CAK when that lifetime has expired as specified in 12.6.
b) Associate a CKN, KMD, NID, and other relevant authorization information with each cached (‘AK. as specified in 12.6.
c) Cache group CAKs distributed by an MKA Key Server, as specified in 12.6.
d) If support for EAP Authenticator or EAP Supplicant functionality is claimed, shall be capable of:
1) Caching pairwise CAKs derived from EAP exchanges.
A PAE shall not
e) Cache a CAK derived from an EAP exchange if that is prohibited by 12.6.
0 Distribute a KMD for a Group CAK unless the PAE distributed the CAK when acting as a Key Server as specified in 12.6.
5.11.4 In-service upgrades
A PAE that supports in-service upgrades shall be capable of
a) Suspending MKA operation as specified in 9.18.
b) Communicating the values of the most significant 32 bits of the Lowest Acceptable PN for the Latest Key and the Old Key when any XPN capable Cipher Suite is being used, as specified in
9.18.5.
NOTE—Selection and use of Extended Packet Numbering depends on the implementation of an XPN capable Cipher Suite by each SecY participating in a CA. See IEEE Std 802.1AE.
A PAE that supports in-service upgrades may use additional protocol(s), outside the scope of this specification, to coordinate in-service upgrades as specified in 9.18.6.
5.12 Virtual port requirements
A PAE that supports the use of virtual ports shall
a) Specify the number of virtual ports that can be supported for each real port, or for the system as a whole.
b) Implement MKA functionality, and be capable of operating 2 or more simultaneous MKA instances for each of the specified number of virtual ports.
c) Support each virtual port with a SecY.
d) Create and manage virtual ports as specified in 6.3.6, 9.14, and 12.7.
e) Shall not create or maintain virtual ports if Supplicant functionality is enabled for the real port.
A PAE that supports both virtual ports and Authenticator functionality shall
f) Be capable of supporting at least the same number of simultaneous EAP Exchanges as the number of virtual ports supported.
A PAE implementation that creates virtual ports in a system that bridges frames to and from those ports as specified by IEEE Std 802.IQ shall
g) Support each of those virtual ports as specified by IEEE Std 802. lQ for each Bridge Port, including support for Spanning Tree Protocol (see 7.6).
5.13 Virtual port options
No options are specified for virtual port creation and deletion.
5.14 Announcement transmission requirements
A PAE that transmits EAPOL-Announcements shall
a) Support the use of the null NID and zero or more additional NIDs as specified in Clause 10.
b) Be capable of using the Uncontrolled Port to transmit generic EAPOL-Announcernents containing the information for each supported NID, as specified in 10.1 and 10.2.
c) Encode EAPOL-Announcements as specified in 11 .12.
d) Rate limit the transmission of announcements as specified in 10.2.
A PAE that transmits EAPOL—Announcements shall not
e) Transmit EAPOL-Announcements through an unsecured Controlled Port (10.2).
5.15 Announcement transmission options
No options are specified for conformance to Announcement transmission functionality.
5.16 Announcement reception requirements
A PAE that listens to EAPOL-Announcements shall
a) Interpret each received EAPOL-Announccmcnt as specified in Clause 11 and Clause 10.
b) Be capable of using a received EAPOL-Announcement to select one or more NIDs, each representing a network or network service, and using the authentication procedure or procedures advertised for that NID subject to the applicable Logon Process controls as specified in Clause 10 and 12.5.
c) Be capable of soliciting an EAPOL-Announcernent by transmitting an EAPOL-Announcerncnt-Req as specified in 11.13.
d) Be capable of encoding a Packet Body in an EAPOL-Announcement-Req, including TLVs to select aNID, as specified in 11.13.
c) Be capable of selecting an appropriate credential, for authentication for access to a desired N1D, for use by the PAE’s Supplicant (if implemented).