Introduction to 802.1X

802.1X is a standard defined by IEEE for Port-based Network Access Control. It uses layer 2-based authentication method to verify the legality of the users accessing the network trough LAN. Before authentication, the security device only allows 802.1X message to pass through the port. And after authentication, all the normal traffic can pass through.

802.1X Architecture

802.1X authentication architecture includes three components: client, authenticator and authentication server. The following shows 802.1 X authentication architecture diagram:

802.1X Authentication Process

Authentication methods of 802.1X include EAP-MD5, EAP-TLS and EAP-PEAP. Different methods have different authentication processes. Here, take the EAP-MD5 authentication method as an example to introduce the basic 802.1X authentication process:

  1. When you need to visit network, you should start the 802.1X client program, and enter your username and password to initiate a connection request. The authentication process starts.
  2. After the authenticator receives the connection request from the client, it will ask the client to send its username.
  3. The client responds and sends its username to the authenticator.
  4. Authenticator will encapsulate the data received from the client and then delivery it to the authentication server.
  5. Authentication server will check the username it received,comparing with the user’s information in its own database, and try to find the password of the user. After that, the server will generate random encrypted characters to encrypt the password, and send it to the authenticator.
  6. Authenticator sends the encrypted characters to the client, and the client will encrypt the password and transmit it back to the authentication server.
  7. Authentication server will compare the encrypted password information with their own encrypted password information. If they are matched, the authenticator will consider the user as a legitimate user, and allow the user to access network through the interface. If not matched, authenticator will refuse the user to access network and keep the status of the interface as non-authenticated.