802.1x Authentication Standard

IEEE 802.1x Authenticati

on Standard:

Terms: Supplicant - The User or Client to be

authenticated Radius Server – The Server doing the

authentication Authenticator – The device between the

Supplicant & the Radius Server EAPOL – (Extensible Authentication

Protocol Over LANs)

How it Works: The Authenticator sends an EAP request

packet to the Supplicant. The Supplicant sends an EAP packet to

the Authenticator. The Authenticator sends a packet to the

Radius Server. The Radius Server challenges the

Authenticator with a token or password.

How it Works: continued…

The Authenticator changes it from the IP to EAPOL.

The Supplicant responds to the challenge and passes it to the Authentication Server.

If there’s a successful challenge, then the Authentication Server responds with a success message allowing access to the LAN.

Example:

Key Aspects: Supplicant = End station software

Authenticator = Wired switch or SSID

Authentication Server = Ensures certificate or passwords are correct

Benefits: IEEE Standard 98% of all switches

support 802.1x

Good authentication

‘Pre-connect’ enforcement of access policies

Drawbacks: Incompatibilities with certain switches

Some security issues

Tough to deploy

Does not have a ‘post-connect’