802.1x is a standardized framework defined by the IEEE, designed to provide
port-based network access. 802.1x authenticates network clients using
information unique to the client and with credentials known only to the client.
This service is called port-level authentication because, for security reasons,
it is offered to a single endpoint for a given physical port. The 802.1x
framework defines three roles in the authentication process
:
- The endpoint that is seeking network access is known as the supplicant. The
supplicant may be an end user device or a standalone device, such as an IP
phone.
- The device to which the supplicant directly connects and through which the
supplicant obtains network access permission is known as the authenticator.
- The authenticator acts as a gateway to the authentication server, which is
responsible for actually authenticating the supplicant.
The authentication process, which consists of exchanges of Extensible
Authentication Protocol (EAP) messages, occurs between the supplicant and the
authentication server
. The
authenticator acts as a transparent relay for this exchange and as a point of
enforcement for any policy configuration instructions the authentication server
may send back as a result of the authentication process.
The IEEE 802.1x
specification defines a new link layer protocol, 802.1x, which is used for
communications between the supplicant and the authenticator. Communications
between the supplicant and authentication server also leverage the RADIUS
protocol carried over standard UDP.
Some 802.1x benefits are shown in
Figure
.
IEEE
802.1x is a well-defined standard with industry-wide acceptance. Supplicant,
authenticator, and authentication server implementations are available from
many vendors, including Cisco.