How does 802.1X authentication apply to the home and small-office user?
Home and small-office users are not usually concerned with IEEE* 802.1X user authentication as outlined below. Network professionals or those interested in technology may find the topic interesting. This summary has been offered for informational purposes only. A small wireless setup requires clients with wireless adapters and an access point (AP) or broadband wireless router to gain Internet access via a DSL, cable or other types of modems.
IEEE 802.1X is a link-layer authentication standard for port-based access control. It was originally used in wired networking but has been modified to work with wireless local area networks (WLAN) through virtual ports. 802.1X is utilized for adding user-based authentication with RADIUS and EAP support to WLANs for improved security. The standard identifies and authenticates users before granting network access.
802.1X is based on the Extensible Authentication Protocol (EAP). Full network access is only granted once the user is positively identified. This is particularly advantageous in a Wireless Local Area Network (WLAN). Obtaining this verification early in the network connection process allows for much finer access controls because users can be classified and restricted before obtaining network access.
back to top
aIEEE 802.1X authentication for wireless networks has three main components:
-The authenticator (the access point)
-The supplicant (the client software)
-The authentication server (RADIUS)
back to top
The following is a general overview of the 802.1X authentication process:
1. A network node (also known as a "Supplicant") sends a "request to access" message to an access point (AP).
2. The AP (also known as the "Authenticator") requests the client’s identity. All communication between the supplicant and authenticator uses the EAP encapsulation over LAN (EAPOL) protocol.
3. The client replies with its identity packet, which is passed along to the authentication server by the authenticator. All communication between the authenticator and authentication server uses the RADIUS format (discussed below).
4. The authentication server sends an "accept" packet to the access point. The authenticator places the client port in the “open” state and network data traffic is allowed to proceed.
back to top
802.1X authentication security initiates an authorization request from the wireless client to the access point, which authenticates the client to an Extensible Authentication Protocol (EAP) compliant RADIUS server. This RADIUS server may authenticate either the user (examples are user password or user certificate) or the system (typically by MAC address or machine certificate). In theory, the wireless client is not allowed to join the network until the transaction is complete.
There are several authentication algorithms used for 802.1X. Some examples are: EAP-TLS, EAP-TTLS, and Protected EAP (PEAP). These are all methods for the wireless client to identify itself to the RADIUS server. With RADIUS authentication, user identities are checked against databases. RADIUS constitutes a set of standards that addresses authentication, authorization and accounting (AAA). RADIUS includes a proxy process to validate clients in a multi-server environment. The IEEE 802.1X standard is for controlling and authenticating access to port-based 802.11 wireless and wired Ethernet networks. Port-based network access control is similar to a switched local area network (LAN) infrastructure that authenticates devices attached to a LAN port and prevent access to that port if the authentication process fails.
back to top
Extensible Authentication Protocol (EAP): General protocol for Point-to-Point Protocol (PPP) authentication that supports a variety of methods. Some common examples are LEAP, PEAP, EAP-TLS, and EAP-TTLS. There are several Internet Engineering Task Force (IETF) Request for Comments (RFC) addressing EAP (e.g. 3748). Details can be found on the IETF site*.
Remote Access Dial-In User Service (RADIUS): Network authentication protocol and service originally used in wired networks for remote host access to networks. It is an Authentication, Authorization and Accounting (AAA) client-server protocol. RADIUS is now used often in large-scale wireless networks for authenticating users and creating dynamic encryption keys. Some commercial products are Cisco ACS*, Microsoft IAS* and Funk Steel-Belted RADIUS*.
- Authentication phase: Verifies a user name and password against a local database. After credentials are verified, the authorization process begins.
- Authorization phase: Determines whether a request is allowed access to a resource. An IP address is assigned for the dial-up client.
- Accounting phase: Collects information on resource usage for the purpose of trend analysis, auditing, session time billing, or cost allocation.
back to top
Institute of Electrical and Electronics Engineers (IEEE)*
This applies to: