802.1x requires support on the client, access point, and authentication
server, as illustrated by Figure
. 802.1x uses a
RADIUS proxy to authenticate clients on the network. This proxy device could be
a device such as a switch or an access point. This device operates at the
access layer.
The EAP client or supplicant sends authentication
credentials to the authenticator which in turn sends the information to the
authentication server. The authentication server is where the logon request is
compared against a user database to determine if, and at what level, the user
may be granted access to the network resources. The access point is called the
authenticator. The authentication server is usually a RADIUS or an
authentication, authorization, and accounting (AAA) server. The authentication
server needs to run extra software to understand the authentication type that
is used by the client.
Any client that does not have built in 802.1x
must use software called a supplicant. Figure
shows
the Microsoft Windows 2000 client. Microsoft XP has built in EAP which provides
802.1x support. Figure
shows the Cisco
LEAP client. The client must have some proof of identity. Forms of identity
include a username and password, digital certificate, or one-time password
(OTP).