Understanding 802.1x

I have heard about 802.1x and have read a number of online articles about it but still having a hard time understanding when to use it in regards to wireless and wired network clients.
LVL 21
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel HelgenbergerCommented:
IEEE802.1X is just a plain way doing /passing authentication on switch port basis, beeing it wired or wireless (entering the correct passphrase on a wireless AP is like plugging in the LAN cable on a wired switch). There are several possible ways to authenticate; but in the end it works the same:

The advantage is the standardization; almost every network equipment supports this. This way one can basically not just use an open network port for network access but have to be authenticated.
This authentication is usually done by a RADIUS server. A RADIUS client (usually a switch or a wireless AP), also called caller station, is registered with the RADIUS server with its IP and a passphrase and will pass login information to the Server form the connecting device. The RADIUS server in turn returns an authorized or unauthorized message to the device (switch, access point) which will then let the connected device communicate further or not.
Because the authentication happens on a very low layer (transport layer in this case) it is very hard to bypass and reasonably secure.

You can use this if you have high network security demands on a wired network. For instance, you want only domain joined computers to access your wired network and not just anyone who finds an available network port (maybe in a public location).

But I think it is far more common on wireless networks because of the added security. This way a user must authenticate for instance using a certificate or a username / password from his domain account allowing more security in a large wireless network. There it is often not feasible to deploy WPA pre- shared keys to hundreds of devices. Also, auditing is far more easy and you can enable users on account-basis.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
compdigit44Author Commented:
Thanks so in order to use 802.1x you need a RADIUS server? I thought RADIUS servers were for only dial-in clients.
Daniel HelgenbergerCommented:
Basically yes. But 802.1x is just a way to 'transport' authentication data and receive authorization. How you authenticate - this is up to you. Though - I have yet to see a system not using RADIUS for this.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Although RADIUS was originally developed for dial-up it has been expanded to support almost any type of authentication.  I have setup Linux servers that use RADIUS for ssh/telnet authentication.
Jakob DigranesSenior ConsultantCommented:
in addition to @helge000s comments:

802.1X is based on original EAP from PPP (dial-up) but is based om EAPOL (EAP over LAN) that enables sending these authentication packages over ethernet.
As mentioned this is only a way to pass authentication - but what is good to know regarding both wired and wireless - could be how this is done, either you want to resatict access to swithcports, wireless access or controller user login to network devices.

For wireless and wired it is rather similar. Both the physical switchport, and the logical switchport (wireless) is in dynamic mode, i.e. not static access port locked to a VLAN.
So based on the authenticated users credentials, group membership, device and so forth - given the correct settings on Radius server and NAS - you can set users role and VLAN based on this. For instance you can have a switch port in a switch that gives USER1 - vlan10 and unrestricted access based on his IT-STAFF membership, but the user connecting the next time gets vlan8 and only internet access based on his missing group membership

The authentication process has 3 devices, the station - (Supplicant) - the switch or AP/Controller (Authenticator) - and Radius Server (Authentication Server) - where the authenticator simply pass authentication traffice back and forth

For most system you have an EAP-Type - which is how EAP-session is setup and secured, and you can also have an inner authentication method - so the client passing on credentials, can be done in a secure channel. For instance MsChapV2 - authentication using domain username and password, is broken - but if you use PEAP as outer method - the exchange of MsChapV2 is secured and cannot be broken.

Before the station is authenticated only authentication traffic can pass through the port.

And an extremely important point mentioned earlier: Auditing and user "visibility" - you who is logged on, and on what medium  ...
compdigit44Author Commented:
Wow, great responces!!!

So basically 802.1x is Network Policy standard which is used to determine what network resources a user has access to given there login attributes.

Are network team used vlans on our network does these mean 802.1x is in use? How can you tell if 802.1x is use?

If you used a packet monitor like wireshark could you see 802.1x request???
Jakob DigranesSenior ConsultantCommented:
It can be used to determine VLANs and roles, but most often it is "just" used to provide secure access to networks. You can tell if 802.1X is used by looking at switches or APs that provide access - or at client to see if wired or wireless connection is configured using 802.1X

yes and no. Wireshark monitoring a monitorport on switch or on wireless AP would pick up these packets ...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.