The IEEE 802.1X standard operates at layer two of the OSI reference model and allows access control to cable-based or wireless local area networks (LANs and WLANs). It provides a secure authentication procedure and uses protocols and standards such as the Extensible Authentication Protocol (EAP) and RADIUS. In the WLAN environment, access control with this standard is sometimes referred to as WPA-Enterprise.
802.1X is the name of a standard adopted in 2001 by the Institute of Electrical and Electronics Engineers (IEEE). It is intended for secure authentication and authorization in local area networks and operates at the second OSI layer. An alternative name for the standard is “IEEE Standard for Local and Metropolitan Area Networks – Port-Based Network Access Control (PNAC)”.
The standard can be used for physical network ports of cable-based LANs as well as for wireless WLANs and VLANs. The standard uses the Extensible Authentication Protocol (EAP) to exchange authentication information. User authentication and management can be implemented using a RADIUS server.
802.1X can also be used to allocate bandwidths or to perform accounting and billing for network usage. In the WLAN environment, access control with 802.1X is sometimes referred to as WPA-Enterprise or WPA2/802.1X. Unlike WLAN WPA authentication, access to the wireless network is no longer based on a shared key (pre-shared key – PSK). Specific access data can be set up for each client.
Basic functionality of 802.1X
The standard defines three basic functional components. These are:
- The applicant (supplicant): for example, a computer in a LAN or WLAN
- The negotiator (authenticator): for example, a LAN switch or WLAN access point
- The authentication server: for example, a radius server
A client that needs access to a LAN or WLAN first contacts the negotiator. It sends its credentials to an authenticator (for example, a switch or WLAN access point). The information exchange takes place via Extensible Authentication Protocol (EAP). The authenticator accepts the request and forwards the credentials to the authentication server (for example, a separate RADIUS server). The Authentication Server can also be implemented as an LDAP gateway or LDAP server or integrated in a WLAN access point, for example. The Authentication Server is responsible for user administration and authentication. It checks the credentials received and communicates the result to the authenticator. Depending on the verification of the credentials, the Authenticator enables or denies logical or physical access to the local network (for example, a switch port). In addition, the supplicant can be assigned network usage bandwidths communicated by the Authentication Server. By having the RADIUS server receive and store session records with usage details, accounting and billing functions can be implemented using 802.1X.
Benefits of using the IEEE 802.1X standard
- Standardized, easy-to-implement, port-based Layer 2 access control to local networks
- Can be used for physical network ports or logical access to VLANs and WLANs
- Scalable on a large scale – suitable for large networks with many clients
- Centralized, simplified user management through LDAP or RADIUS servers
- Offers an alternative to less secure access methods such as MAC address-based access control or WLAN logon via a common pre-shard key
- Specific credentials can be set up for each client
- Offers additional functions such as the allocation of usage bandwidths and functions for billing and accounting
- All major operating systems such as Windows, Linux, macOS, iOS, Android and others support 802.1X.