Skip to content Skip to navigation Skip to footer

Like all authentication, 802.1X authentication involves making sure something interfacing with the system is actually what it claims it is. When someone wants to gain access to a network using 802.11 and variants like 802.11n, b, or g, 802.1x authentication acts as a protocol that verifies the person connecting is who they say they are. It works for both wireless and wired devices.

The IEEE 802.1X Working Group endeavors to improve 802.1X authentication, as well as other technologies that impact 802 architecture. This article will discuss 802.1 authentication step by step, as well as how it can be used.

What Are the Main Parts of 802.1X Authentication?

Supplicant (Client-end User)

Devices that are trying to connect to an 802.1X network need to have software installed on them, and this is referred to as the supplicant. The supplicant is needed because it initiates the connection by engaging in an Extensible Authentication Protocol (EAP) transaction between the supplicant and the controller or switch. The supplicant gathers the credentials of the user together in a way that corresponds with what 802.1X can read.

An Authenticator (Access Point or a Switch)

An authenticator refers to a device on the network that supplies data links that connect the network and the client. It also blocks or allows traffic as it tries to flow between the client and the network. A wireless access point and an Ethernet switch are examples of authenticators.

An Authentication Server (Usually a RADIUS Server)

The authentication server is one that receives requests asking for access to the network and responds to them. It is able to tell the authenticator whether the connection is going to be allowed, as well as the settings used to interact with the client’s connections.

Authentication servers tend to run software that supports Remote Authentication Dial-In User Service (RADIUS) and EAP protocols. The authentication server can also be run within authenticator hardware.

How Does 802.1X Authentication Work?

Initiation

During the initiation phase, the authenticator sends EAP request identity frames, which are tools used to convey a request to identify the device trying to connect. These are sent to a Layer 2 address on the local network or virtual local-area network (VLAN). Layer 2 is the data link layer, such as Point-to-Point Protocol (PPP), and it controls how data moves through the physical connections in your network.

The authenticator then takes the identity information, packages it, and sends it to the authentication server. Understanding authentication is important to configuring Fortinet 802.1X authentication settings.

Autenticazione

Once there is agreement between the supplicant and the authentication server in the initiation phase, EAP responses and requests get transferred between the authentication server and the supplicant, and the authentication server replies with either a success or failure message. 

If the authentication process succeeds, the authenticator then designates the port as “authorized.” This state enables normal traffic to pass through. If the process does not succeed, the port maintains a state of being “unauthorized.” This results in all non-EAP traffic getting blocked.

Autorizzazione

Once the user enrolls for a public key infrastructure (PKI) certificate or confirms the validity of their credentials, they are authorized to access the network. RADIUS checks to make sure they have the right certificate or the necessary credentials every time they connect. This helps prevent illegitimate users from getting on the network.

Accounting

Accounting within the 802.1X RADIUS system records the information pertaining to the devices that get authenticated and the length of the session. Device information is sent to the accounting server as the session starts. The server also gets a message when the session has ended.

Termination

Accounting within the 802.1x RADIUS system records the information pertaining to the devices that get authenticated and the length of the session. Device information is sent to the accounting server as the session starts. The server also gets a message when the session has ended.

What Can You Do with 802.1X Authentication?

Pre-admission Control—Blocks Unauthenticated Messages

802.1X authentication prevents messages that have not been authenticated by the system. This protects the network from hackers that may try to penetrate it with devices that have not been authenticated or do not have the proper PKI certificate.

Device and User Detection—Identifies Users and Devices with Predefined Credentials or Machine IDs

You can issue the credentials needed to connect to the network to a select group of users. This way, those you have not sent the credentials to cannot gain access. As a result, you can keep the list of those who access the network small, limiting it to trusted individuals and devices.

Authentication and Authorization—Verifies and Provides Access

With 802.1X authentication, you have a reliable tool to ensure only those with the rights to access the network can connect. You are also able to verify that each user is who they say they are. With port-based 802.1X authentication, the media access control (MAC) service is used to establish a connection.

Onboarding—Provisions a Device with Security, Management, or Host-checking Software

The onboarding process allows you to vet all those who connect to your network. Because you control which devices get the credentials they need, you can ensure unauthorized devices are kept off your network.

Profiling—Scans Endpoint Devices

Thanks to the profiling process, the device has to reveal information about its identity and connection such as its MAC address and the number of the port it is using.

Policy Enforcement—Applies Role and Permission-based Access

802.1X authentication allows you to create and enforce policies that can restrict access according to an individual’s role or their permissions. This not only prevents breaches but also keeps well-intentioned but unauthorized users from accidentally connecting and messing up an element of the network.

Post-admission Control—Enforces Session Termination and Cleanup

802.1X authentication also allows you to end sessions and remove users from the network. This way, a device can be disconnected after the user leaves, preventing a different user from using the device’s credentials to access the network in the first user’s absence.

How Fortinet Can Help

The Fortinet network access control (NAC) solution uses a zero-trust architecture that requires users to verify and authenticate every time they connect. It also provides full visibility into endpoints, including Internet-of-Things (IoT) devices.

With Fortinet NAC, users and devices can be authenticated, profiled, denied access, and restricted based on credentials. Unsecured devices can also be quarantined to prevent them from harming the network.

FAQs

What is 802.1X authentication?

802.1X authentication involves making sure something interfacing with the system is actually what it claims it is. When someone wants to gain access to a network using 802.11 and variants like 802.11n, b, or g, 802.1X authentication acts as a protocol that verifies the person connecting is who they say they are. It works for both wireless and wired devices. 

What are the main parts of 802.1X authentication?

The main parts of 802.1X authentication include: Supplicant, Authenticator and Authentication server.