Introduction to 802.1X

802.1X is a standard defined by IEEE for Port-based Network Access Control. It uses layer 2-based authentication method to verify the legality of the users accessing the network trough LAN. Before authentication, the security device only allows 802.1X message to pass through the port. And after authentication, all the normal traffic can pass through.

802.1X Architecture

802.1X authentication architecture includes three components: client, authenticator and authentication server. The following shows 802.1 X authentication architecture diagram:

• Client: After you start the client program and enter your username and password, the client program will send requests for 802.1X authentication to the authenticator. Clients need to support EAP protocol, and should be running 802.1X client software.
• Authentication Server: The server stores users’ information, verifies whether users have the right to use network resources, and returns the authentication results to the authenticator. The system supports local authentication server and RADIUS server to implement authentication and authorization.
• Authenticator (Security Appliance): The authenticator provides a physical interface for clients to access the LAN. It transmits users’ information to the authentication server or returns it to the client, and turns on or shuts down the interface according to the server’s authentication results. Authenticator acts as an agent between the client and authentication server.

802.1X Authentication Process

Authentication methods of 802.1X include EAP-MD5, EAP-TLS and EAP-PEAP. Different methods have different authentication processes. Here, take the EAP-MD5 authentication method as an example to introduce the basic 802.1X authentication process:

1. When you need to visit network, you should start the 802.1X client program, and enter your username and password to initiate a connection request. The authentication process starts.
2. After the authenticator receives the connection request from the client, it will ask the client to send its username.
3. The client responds and sends its username to the authenticator.
4. Authenticator will encapsulate the data received from the client and then delivery it to the authentication server.
5. Authentication server will check the username it received，comparing with the user’s information in its own database, and try to find the password of the user. After that, the server will generate random encrypted characters to encrypt the password, and send it to the authenticator.
6. Authenticator sends the encrypted characters to the client, and the client will encrypt the password and transmit it back to the authentication server.
7. Authentication server will compare the encrypted password information with their own encrypted password information. If they are matched, the authenticator will consider the user as a legitimate user, and allow the user to access network through the interface. If not matched, authenticator will refuse the user to access network and keep the status of the interface as non-authenticated.