Learning Objectives
- Understand the 802.1X authentication framework
- Identify the three roles: supplicant, authenticator, authentication server
- Visualize the EAP exchange flow
- Describe the RADIUS message flow in 802.1X
Port-Based Access Control
802.1X is a network access control (NAC) standard that prevents unauthorized devices from connecting to a LAN. Before a device can send any data through a switch port, it must authenticate. If authentication fails, the port remains in an unauthorized state — no traffic passes except EAP messages.
This is widely deployed in enterprise wireless networks (WPA2-Enterprise uses 802.1X as its authentication framework) and wired networks where strict access control is required.
The Three Roles
Every 802.1X deployment has three components. The supplicant is the client device requesting access, running 802.1X client software. The authenticator is the network device (switch or wireless access point) that enforces access control by blocking or opening the port. The authentication server (typically a RADIUS server) validates credentials and tells the authenticator whether to permit access.
The authenticator acts as a gatekeeper — it does not validate credentials itself but relays EAP messages between the supplicant and the authentication server.
EAP Exchange
EAP (Extensible Authentication Protocol) is the framework that carries authentication messages. EAP itself is a container — the actual authentication method (EAP-TLS, PEAP, EAP-FAST) runs inside it.
EAP Exchange over 802.1X
RADIUS Flow Topology
A RADIUS server typically serves many authenticators. The communication uses UDP (ports 1812 for authentication, 1813 for accounting) and is secured by a shared secret. RADIUS packets include attributes for authorization details like VLAN assignment, ACL names, or session timeout.
RADIUS Authentication Flow
The switch relays EAP messages to the RADIUS server, which validates credentials against an identity store.
Which device acts as the gatekeeper in an 802.1X deployment?
What protocol carries authentication messages between the authenticator and the authentication server?
Key Takeaways
- 802.1X prevents unauthorized devices from accessing the network at the port level
- The three roles are supplicant (client), authenticator (switch/AP), and authentication server (RADIUS)
- EAPOL carries EAP messages between the supplicant and authenticator
- RADIUS carries EAP messages between the authenticator and authentication server
- The authenticator does not validate credentials — it relays and enforces
- RADIUS can return authorization attributes like VLAN assignment