802.1x Overview
The 802.1x standard is a security solution ratified by the IEEE which can authenticate (identify) a user who wants to access a network (whether wired or wireless). This is done through the use of an authentication server.
A benefit of 802.1x is the switches and the access points themselves do not need to know how to authenticate the client. All they do is pass the authentication information between the client and the authentication server. The authentication server handles the actual verification of the client’s credentials. This lets 802.1x support many authentication methods, from simple user name and password, to hardware token, challenge and response, and digital certificates. If a Wi-Fi user is authenticated via 802.1x for network access, a virtual port is opened on the access point allowing for communication. If not successfully authorized, a virtual port is not made available and communications are blocked.
There are three basic pieces to 802.1x authentication:
Supplicant - a software client running on the Wi-Fi workstation
Authenticator - the Wi-Fi access point
Authentication Server - a authentication database, usually a radius server such as Cisco* ACS*, Funk Steel-Belted RADIUS*, or Microsoft* IAS*
Extensible Authentication Protocol (EAP) is used to pass the authentication information between the supplicant (the Wi-Fi workstation) and the authentication server (Microsoft IAS or other). The actual authentication is defined and handled by the EAP type. The access point acting as authenticator is only a proxy to allow the supplicant and the authentication server to communicate.
Steps to 802.1x authentication:
Wireless client sends authentication request to either wireless access point or 802.1x-enabled switch.
Wireless access point or 802.1x-enabled switch repackages authentication request to send on to RADIUS server. Be sure that the RADIUS server is compatible with EAP and 802.1x standards.
RADIUS server examines request. It may proxy the request to another server or consult an authentication database directly.
If access is authenticated, RADIUS server informs wireless access point or 802.1x-enabled switch.
Wireless access point or 802.1x-enabled switch informs client of access.
A benefit of 802.1x is the switches and the access points themselves do not need to know how to authenticate the client. All they do is pass the authentication information between the client and the authentication server. The authentication server handles the actual verification of the client’s credentials. This lets 802.1x support many authentication methods, from simple user name and password, to hardware token, challenge and response, and digital certificates. If a Wi-Fi user is authenticated via 802.1x for network access, a virtual port is opened on the access point allowing for communication. If not successfully authorized, a virtual port is not made available and communications are blocked.
There are three basic pieces to 802.1x authentication:
Supplicant - a software client running on the Wi-Fi workstation
Authenticator - the Wi-Fi access point
Authentication Server - a authentication database, usually a radius server such as Cisco* ACS*, Funk Steel-Belted RADIUS*, or Microsoft* IAS*
Extensible Authentication Protocol (EAP) is used to pass the authentication information between the supplicant (the Wi-Fi workstation) and the authentication server (Microsoft IAS or other). The actual authentication is defined and handled by the EAP type. The access point acting as authenticator is only a proxy to allow the supplicant and the authentication server to communicate.
Steps to 802.1x authentication:
Wireless client sends authentication request to either wireless access point or 802.1x-enabled switch.
Wireless access point or 802.1x-enabled switch repackages authentication request to send on to RADIUS server. Be sure that the RADIUS server is compatible with EAP and 802.1x standards.
RADIUS server examines request. It may proxy the request to another server or consult an authentication database directly.
If access is authenticated, RADIUS server informs wireless access point or 802.1x-enabled switch.
Wireless access point or 802.1x-enabled switch informs client of access.
Comments
Post a Comment