802.1X
802.1X is used for port based authentication. When you think of a switchport, there is no authentication at all. You plug in your UTP cable and if the interface is configured, you will have a connection, get an IP address from a DHCP server in the VLAN that the interface is configured for and so on.
With 802.1X, we can add authentication for port control. Before you get access to the network, you will have to authenticate yourself. The “port control” part is what 802.1X does, the authentication is done using EAP (Extensible Authentication Protocol). 802.1X is often used on wired networks with NAC (Network Admission Control) which allows the network to check if a computer has up-to-date anti-virus / spyware software and/or all installed updates for its operating system. If this checks out, the computer gets further access to the network.
802.1X is also used for wireless networking, where we use it for WPA-Enterprise. We use it in wireless networking so that we can have per-user authentication instead of pre-shared keys and it uses a different WPA master key for each wireless user, enhancing security.
There are three terms you need to know when using 802.1X:
- Supplicant: this is the user or device that wants access to the (wireless) network.
- Authentication Server: the device that processes the authentication, typically a RADIUS or TACACS+ server.
- Authenticator: the device in between the supplicant and authentication server that has to open the port with 802.1X. This is a switch or wireless access point.
Lessons
- EAP-TLS Certificates for Wireless on Android
- EAP-TLS with Server 2008 SCEP for Apple Devices
- AAA and 802.1X Authentication
- AAA Configuration on Cisco Switch
- AAA Authentication on Cisco IOS
- MAC Authentication Bypass (MAB)
- Wireless Authentication Methods
- EAPOL (Extensible Authentication Protocol over LAN)