CASP: 802.1X - Paiet/Tech-Journal-for-Everything GitHub Wiki

What is 802.1X? an Institute of Electrical and Electronics Engineers (IEEE) standard used to provide a port-based authentication mechanism over a LAN or wireless LAN.

802.1X encapsulates frames in the Extensible Authentication Protocol (EAP) to provide user authentication for a service like Remote Authentication Dial-In User Service (RADIUS). 802.1X provides support for password based logins, but can also use digital certificates for authentication.

The authentication process of 802.1X involves three roles:

- Supplicant (e.g., a client device like a laptop)
- Authenticator (e.g., a network switch)
- Authentication server (e.g., a RADIUS server)

The basic process involving a RADIUS server is as follows:

1\. Request initialized: Either the authenticator detects a new supplicant in

its scheduled listening period, or the supplicant actively sends an EAPOL (EAP over LAN) packet to the authenticator to start the process.

2\. Identity provided: The supplicant sends its identity information (e.g., a

user name) to the authenticator, which then forwards the credentials to the authentication server.

3\. Access challenge issued: The authentication server verifies the supplicant's

identity and sends an access challenge back to the supplicant through the authenticator. Along with the challenge, the authentication server informs the supplicant which authentication method it prefers to use. The supplicant can reject this method and suggest another, if desired.

4\. Credentials provided: Using the agreed-upon authentication method, the

supplicant sends the authentication server (through the authenticator) its credentials (e.g., a password).

5\. Access granted or rejected: The authentication server verifies the

supplicant's credentials and sends either an accept or reject message. If accepted, the access port on the authenticator is opened, and the supplicant now has access to network resources according to its assigned permissions. If rejected, then the port remains blocked or it reverts to an otherwise default state.

NOTE: One example of a real-world application of 802.1X is a hotel in which authenticated users pay for "premium" Internet access. The standard free access may only grant a user access to certain protocols and services, like HTTP/S, but the premium version may grant access to all protocols and services.