IEEE 802.1X
Encyclopedia : I : IE : IEE : IEEE 802.1X
IEEE 802.1X is an IEEE standard for port-based Network Access Control; it is part of the IEEE 802 (802.1) group of protocols. It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails. It is used for certain closed wireless access points, and is based on the EAP, Extensible Authentication Protocol (RFC 2284). RFC 2284 has been obsoleted by RFC 3748.
802.1X is available on certain network switches, and can be configured to authenticate hosts which are equipped with supplicant software, denying unauthorized access to the network at the data link layer.
Some vendors are implementing 802.1X for wireless access points, to be used in certain situations where an access point needs to be operated as a closed access point, addressing the security vulnerabilities of WEP (see 802.11i). The authentication is usually done by a third-party entity, such as a RADIUS server. This provides for client-only authentication, or more appropriately, strong mutual authentication using protocols such as EAP-TLS.
In many cases, the public is invited to the premises but not invited to connect to the network. In the case of a wired network, it is possible to control access through physical security on all network ports. As this does not apply to an IEEE 802.11 wireless signal, operators of closed access points can instead use 802.1X or other network admission controls at the data link layer. This correlation between wireless networking and use of 802.1X authentication has led some to mistakenly call the standard "802.11x" when it is used in a wireless network.
Upon detection of the new client(supplicant), the port on the switch (authenticator) will be enabled and set to the "unauthorized" state. In this state, only 802.1x traffic will be allowed; other traffic, such as DHCP and HTTP, will be blocked at the data link layer. The authenticator will send out the EAP-Request identity to the supplicant, the supplicant will then send out the EAP-response packet that the authenticator will forward to the authenticating server. The authenticating server can accept or reject the EAP-Request; if it accepts the request, the authenticator will set the port to the "authorized" mode and normal traffic will be allowed. When the supplicant logs off, he will send an EAP-logoff message to the authenticator. The authenticator will then set the port to the "unauthorized" state, once again blocking all non-EAP traffic.
External links
- [IEEE page on 802.1X]
- IEEE standard can be retrieved at no charge through the [GetIEEE802 program]: [link].
From Wikipedia, the Free Encyclopedia. Original article here. Support Wikipedia by contributing or donating.
All text is available under the terms of the GNU Free Documentation License See Wikipedia Copyrights for details.