Wireless Products
Intel® Wi-Fi Products
What Is IEEE* 802.1X and How Does It Relate to Security?

How does 802.1X authentication apply to the home and small-office user?

Home and small-office users are not usually concerned with IEEE* 802.1X user authentication as outlined below. Network professionals or those interested in technology may find the topic interesting. This summary has been offered for informational purposes only. A small wireless setup requires clients with wireless adapters and an access point (AP) or broadband wireless router to gain Internet access via a DSL, cable or other types of modems.

Related Topics

IEEE 802.1X

IEEE 802.1X is a link-layer authentication standard for port-based access control. It was originally used in wired networking but has been modified to work with wireless local area networks (WLAN) through virtual ports. 802.1X is utilized for adding user-based authentication with RADIUS and EAP support to WLANs for improved security. The standard identifies and authenticates users before granting network access.

802.1X is based on the Extensible Authentication Protocol (EAP). Full network access is only granted once the user is positively identified. This is particularly advantageous in a Wireless Local Area Network (WLAN). Obtaining this verification early in the network connection process allows for much finer access controls because users can be classified and restricted before obtaining network access.

back to top back to top

aIEEE 802.1X authentication for wireless networks has three main components:

-The authenticator (the access point)
-The supplicant (the client software)
-The authentication server (RADIUS)

back to top back to top

The following is a general overview of the 802.1X authentication process:

1. A network node (also known as a "Supplicant") sends a "request to access" message to an access point (AP).

2. The AP (also known as the "Authenticator") requests the client’s identity. All communication between the supplicant and authenticator uses the EAP encapsulation over LAN (EAPOL) protocol.

3. The client replies with its identity packet, which is passed along to the authentication server by the authenticator. All communication between the authenticator and authentication server uses the RADIUS format (discussed below).

4. The authentication server sends an "accept" packet to the access point. The authenticator places the client port in the “open” state and network data traffic is allowed to proceed.

back to top back to top

802.1X authentication security initiates an authorization request from the wireless client to the access point, which authenticates the client to an Extensible Authentication Protocol (EAP) compliant RADIUS server. This RADIUS server may authenticate either the user (examples are user password or user certificate) or the system (typically by MAC address or machine certificate). In theory, the wireless client is not allowed to join the network until the transaction is complete.

There are several authentication algorithms used for 802.1X. Some examples are: EAP-TLS, EAP-TTLS, and Protected EAP (PEAP). These are all methods for the wireless client to identify itself to the RADIUS server. With RADIUS authentication, user identities are checked against databases. RADIUS constitutes a set of standards that addresses authentication, authorization and accounting (AAA). RADIUS includes a proxy process to validate clients in a multi-server environment. The IEEE 802.1X standard is for controlling and authenticating access to port-based 802.11 wireless and wired Ethernet networks. Port-based network access control is similar to a switched local area network (LAN) infrastructure that authenticates devices attached to a LAN port and prevent access to that port if the authentication process fails.

back to top back to top

Extensible Authentication Protocol (EAP): General protocol for Point-to-Point Protocol (PPP) authentication that supports a variety of methods. Some common examples are LEAP, PEAP, EAP-TLS, and EAP-TTLS. There are several Internet Engineering Task Force (IETF) Request for Comments (RFC) addressing EAP (e.g. 3748). Details can be found on the IETF site*.

Remote Access Dial-In User Service (RADIUS): Network authentication protocol and service originally used in wired networks for remote host access to networks. It is an Authentication, Authorization and Accounting (AAA) client-server protocol. RADIUS is now used often in large-scale wireless networks for authenticating users and creating dynamic encryption keys. Some commercial products are Cisco ACS*, Microsoft IAS* and Funk Steel-Belted RADIUS*.

AAA Phases

  • Authentication phase: Verifies a user name and password against a local database. After credentials are verified, the authorization process begins.
  • Authorization phase: Determines whether a request is allowed access to a resource. An IP address is assigned for the dial-up client.
  • Accounting phase: Collects information on resource usage for the purpose of trend analysis, auditing, session time billing, or cost allocation.

back to top back to top

Related topics
Institute of Electrical and Electronics Engineers (IEEE)*
Wi-Fi Alliance*

This applies to:

Intel® Centrino® Advanced-N + WiMAX 6250
Intel® Centrino® Advanced-N 6200
Intel® Centrino® Advanced-N 6205
Intel® Centrino® Advanced-N 6205 For Desktop
Intel® Centrino® Advanced-N 6230
Intel® Centrino® Advanced-N 6235
Intel® Centrino® Ultimate-N 6300
Intel® Centrino® Wireless-N + WiMAX 6150
Intel® Centrino® Wireless-N 100
Intel® Centrino® Wireless-N 1000
Intel® Centrino® Wireless-N 1030
Intel® Centrino® Wireless-N 105
Intel® Centrino® Wireless-N 130
Intel® Centrino® Wireless-N 135
Intel® Centrino® Wireless-N 2200
Intel® Centrino® Wireless-N 2200 For Desktop
Intel® Centrino® Wireless-N 2230
Intel® Dual Band Wireless-AC 3160
Intel® Dual Band Wireless-AC 7260
Intel® Dual Band Wireless-AC 7260 for Desktop
Intel® Dual Band Wireless-N 7260
Intel® PRO/Wireless 2200BG Network Connection
Intel® PRO/Wireless 2915ABG Network Connection
Intel® PRO/Wireless 3945ABG Network Connection
Intel® WiFi Link 1000
Intel® WiFi Link 5300 and Intel® WiFi Link 5100 products
Intel® WiMAX/WiFi Link 5350 and Intel® WiMAX/WiFi Link 5150 products
Intel® Wireless WiFi Link 4965AGN
Intel® Wireless-N 7260

Solution ID: CS-025323
Last Modified: 01-Oct-2014
Date Created: 27-Dec-2006