What is IEEE 802.1X network authentication?
IEEE 802.1X is a standard that enables or denies participants in networks. The method is supported by all common operating systems.
What is 802.1X?¶
Simply put, IEEE 802.1X is a standard that checks the various participants in a LAN or WLAN network and then either grants or denies them access. IEEE 802.1X is a standalone standard that operates at the link layer, the second layer of the OSI model. Its main task is to identify unauthorized users even before they access an IEEE 802 network, protecting the environment from unwanted access. The method gives unknown participants access to the network after a thorough check.
IEEE 802.1X was introduced by the Institute of Electrical and Electronical Engineers (IEEE) in 2001 and was originally intended only for LAN networks. Now the standard is also used for WLAN environments. Authentication and authorization are performed at the physical port of the network. Various protocols are used for this purpose. The IEEE 802.1X standard is sometimes referred to as “IEEE Standard for Local and Metropolitan Area Networks - Port-Based Network Access Control” (PNAC). In addition to pure access control, IEEE 802.1X can be used to allocate bandwidths and regulate network use.
What’s IEEE 802.1X being used for?¶
The IEEE 802.1X authentication process contains three actors: a supplicant, an authenticator or negotiator, and an authentication server (AS).
The requesters can be any device that must first be authenticated according to the network rules and IEEE 802.1X. These can be computers, printers, scanners or other devices.
The authenticator performs the actual verification and decides whether the supplicant is granted access to the network or not. It checks the applicant’s credentials in the IEEE 802.1X procedure. If they are in order, access is granted. If they don’t comply with the network rules, access is denied. The authenticator is a WLAN access point, a router, or an IEEE 802.1X-capable switch.
The authentication server is a WLAN access point, a RADIUS server, or an LDAP gateway. It’s installed in a protected network and provides the authenticator with an authentication service. It matches the applicant’s credentials with stored and previously defined authorizations.
How does IEEE 802.1X work?¶
To get a better idea of the basic operation of IEEE 802.1X, let’s compare the procedure to ordinary access control. For example, assume a guest wants to get into a party. He hands his invitation to the bouncer who then scans the card, receives confirmation that the guest has been invited, and grants him access to the premises. If, on the other hand, the card is faulty or not present, the guest is denied entry.
In IEEE 802.1X, the supplicant is the guest, which forwards its credentials to the authenticator via the Extensible Authentication Protocol (EAP). The authenticator sends the credentials to the authentication server, which compares them with the previously defined authorizations. The credentials can be stored in a simple text file or avin database. The server checks the credentials and returns the result to the authenticator. If the data is correct, the authenticator enables access to the network, grants the supplicant admission and may allocate bandwidth for network use. If the credentials are incorrect, the supplicant is rejected.
What are the advantages of IEEE 802.1X?¶
The use of IEEE 802.1X offers numerous advantages. The main advantage is that the method is a standard which means it’s widely used. IEEE 802.1X is supported by all common operating systems. It’s easy to implement and provides good protection against unwanted access. IEEE 802.1X is also very versatile. The standard doesn’t just work for LAN networks, but also in combination with WLAN and VLAN. Individual login requirements can be defined for each supplicant. There are other functions such as administration options or the provision and allocation of usage bandwidth as well.
MAC address as an alternative to IEEE 802.1X¶
While IEEE 802.1X is supported by almost all operating systems like Windows, macOS and Linux as well as many network types, some devices don’t use the standard, such as certain printers or webcams, for example. In that case, the switch uses the MAC address of the host for authentication and creates a username and password from it. However, this method is very vulnerable compared to IEEE 802.1X and can be misused for unauthorized access.