IEEE 802.1X is a method for the provision of port-based network access control over layer 2 switches network. This allows to authenticate a client when it initially connects to a LAN before it gets an IP address and additional configuration over network.. IEEE 802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802, which is known as “EAPOL” (EAP encapsulation over LAN). When a Cisco switch is configured with 802.1X authentication, all ports of switch are disabled and only allow CDP, STP and EAPOL traffic. EAPOL (Extensible Authentication Protocol on LAN) is reqiured for 802.1X authentication. When using 802.1X authentication, the client device must also support 802.1X or have802.1X client software installed.
IEEE 802.1X uses three major components to complete authentication transaction. The 3 parties are detailed as below –
- Supplicant – Client device that wishes to attached to LAN. The term ‘supplicant’ is actually used to refer to the software running on the client that provides credentials to the authenticator.
- Authentication Server -The actual server running software supporting Radius and EAP protocols is called the Authentication Server.
- Authenticator – The device in between above two elements, such as a switch or wireless access point, is called the Authenticator. The authenticator acts like a security guard to a protected network
Step by step process of 802.1X Authentication –
- The Authenticator sends an “EAP-Request/Identity” packet to the Supplicant as soon as it detects that the link is active (e.g., the supplicant system has associated with the switch). If the Supplicant does not receive EAP-Request/Identity message from the Authenticator, the Supplicant initiates authentication by sending the EAPOL-Start, which prompts to request the Supplicant’s identity.
- The Supplicant sends an “EAP-Response/Identity” packet with its identity to the Authenticator. The Authenticatorthen initiates “RADIUS Access request” to the Authentication (RADIUS) Server.
- On receiving an Access-Request message, the RADIUS server (Authentication Server) responds with an “RADIUS Challenge” message containing EAP-Message attribute. If the RADIUS server does not support EAP, it sends an Access-Reject message.
- The Supplicant responds to the challenge via the Authenticator, which passes the response onto the Authentication Server.
- If the supplicant provides correct credentials, the Authentication Server responds with a success message, which is then passed on to the Supplicant. The Authenticator now allows access to the LAN inline to on attribute that came back from the Authentication Server. When the Supplicant is finished, it can send an explicit “logoff” notification to the Authenticator. 802.1X also defines a re-authentication timer, which can be used to require the Supplicant to re-authenticate periodically.