Port access 802.1X authentication

IEEE 802.1X is a standard for port-based authentication. This standard provides administrators with an authentication mechanism for devices trying to access a LAN or WLAN. 802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802, which is known as EAP over LAN (EAPOL).

802.1X port-based authentication provides port-level security. It allows LAN access only on ports where a single 802.1X-capable client (supplicant) has entered authorized RADIUS user credentials. 802.1X authentication is recommended for applications where only one client can connect to the port at a time. Using this option, the port processes all IP traffic as if it comes from the same client.

Figure 1  802.1X authentication

802.1X authentication involves the following entities:

  • Supplicant: A client device that tries to access the LAN.
  • Authenticator: A network device (typically a switch) that authenticates the supplicant.
  • Authentication Server: A host running software supporting the RADIUS and EAP protocols that provides an authentication service to the authenticator.

Until the supplicant is authenticated, the authenticator allows only EAPOL traffic through the port to which the supplicant is connected. Only after the authentication is successful, the authenticator allows normal traffic from the supplicant.

802.1X requires a supplicant (client), authenticator (switch), and authentication server (RADIUS). Aruba ClearPass provides a RADIUS server, as well as other capabilities for monitoring and managing user access.

You can alternatively use a third-party RADIUS server such as Microsoft Network Policy Server (NPS) or an open source server such as FreeRADIUS.

In wired deployments, 802.1X is most commonly used in instances where the supplicant is an end-user machine (such as a PC, laptop, phone, and so on) and the authenticator is a switch. In certain deployments, the supplicant can itself be a switch (for example, an access switch). To ensure that the access switch connecting to an upstream switch has the right credentials, a switch should be able to be operate as an 802.1X supplicant.