FreeRADIUS Wiki	Main Page | About | Help | FAQ | Special pages | Log in
	Printable version | Disclaimers | Privacy policy

IEEE 802.1X

From FreeRADIUS Wiki

IEEE 802.1X is an IEEE standard for port-based Network Access Control; it is part of the IEEE 802 (802.1) group of protocols. It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails. It is also used for certain closed wireless access points, and is based on the EAP, Extensible Authentication Protocol (RFC 2284). RFC 2284 has been obsoleted by RFC 3748.

802.1X is available on certain network switches, and can be configured to authenticate hosts which are equipped with supplicant software, denying unauthorized access to the network at the data link layer.

Many vendors are implementing 802.1X for wireless access points, to be used in situations where an access point needs to be operated as a closed access point, addressing the security vulnerabilities of WEP (see 802.11i). The authentication is usually done a RADIUS server. This provides for client-only authentication, or more appropriately, strong mutual authentication using protocols such as EAP-TLS.

Upon detection of the new client (supplicant), the port on the switch (authenticator) will be enabled and set to the "unauthorized" state. In this state, only 802.1X traffic will be allowed; other traffic, such as DHCP and HTTP, will be blocked at the data link layer. The authenticator will send out the EAP-Request identity to the supplicant, the supplicant will then send out the EAP-response packet that the authenticator will forward to the authenticating server. The authenticating server can accept or reject the EAP-Request; if it accepts the request, the authenticator will set the port to the "authorized" mode and normal traffic will be allowed. When the supplicant logs off, he will send an EAP-logoff message to the authenticator. The authenticator will then set the port to the "unauthorized" state, once again blocking all non-EAP traffic.

External links

• IEEE page on 802.1X
• IEEE standard can be retrieved at no charge through the GetIEEE802 program: [1].

See Also

• Extensible Authentication Protocol
• PANA
• HOWTOs

Edit this page | Discuss this page | Page history | What links here | Related changes Main Page | About FreeRADIUS Wiki | Find: This page has been accessed 4,947 times. This page was last modified 14:25, 9 July 2007.