802.1x can be deployed to authenticate users, such as desktop users in a
corporation or teleworkers accessing the network form a home office. In the
home office scenario, access control is required in order to prevent other
residents from the home from gaining access to controlled corporate resources
. The
authenticator and supplicant are the two components are used to implement
802.1x functionality. The authenticator is a network component that checks
credentials and applies the access policy, usually implemented on a router,
switch, or wireless access point. The supplicant is a software component on
users' workstation that answers the challenge from the authenticator.
Supplicant functionality may also be implemented on network devices in order to
authenticate to upstream devices. Mutual authentication functionality may also
be employed when network devices must restrict access policy to each other.
Cisco IOS Software does not currently support mutual authentication.
In
the simplest scenario, no traffic is allowed to flow from a client device to
the network until the client authenticates. 802.1x frames are the only traffic
between the client, or supplicant, and the access-control device, or
authenticator. A user trying to access network resources must provide access
credentials using software on the client workstation. Microsoft Windows XP
includes 802.1x supplicant support, while an add-on component for Microsoft
Windows 2000 is available as a Microsoft Hotfix.
When the user provides
their credentials, the information is transmitted to the authenticator by some
variant of EAP. The user's information is encrypted in the EAP transfer,
so that their credentials cannot be easily compromised. The authenticator will
transmit the credentials to the AAA server, which will verify the user
credentials against its database. If the AAA server is configured to return a
network access policy, it will return the policy associated with the user or
their corresponding group. The authenticator will apply the network policy to
the user's connection, allowing traffic to flow according to the policy.
The policy may include traffic engineering values, VLAN information for user
connection, and IP address information.
The authenticator can be
configured with default access policies to offer restricted connectivity for
client devices that do not have supplicant support. This allows unauthenticated
users to have limited network access, but they will be required to provide
credentials in some other fashion if access to restricted resources is needed.
Default policy provision for IP phones, for instance, may be required, as IP
phones do not yet include supplicant capability.