802.1x Authentication
Other versions of this page are also available for the following:
.gif "A hyphen indicates that the information in this topic is not relevant for this platform, or that the platform does not support the API that is listed.")
.gif "A checkmark indicates that the information in this topic is relevant for this platform, and that any API listed is also supported on this platform.")
8/28/2008
IEEE 802.1x is a standard for port-based network access control that provides authenticated network access to 802.11 wireless networks and wired Ethernet networks.
Port-based network access control uses the physical characteristics of a switched local area network (LAN) infrastructure to authenticate devices that are attached to a LAN port and to prevent access to that port in cases where the authentication process fails.
Although this standard was designed for wired Ethernet networks, it has been adapted for use on 802.11 wireless LANs.
During a port-based network access control interaction, a LAN port adopts one of two roles: authenticator or supplicant.
- In the role of authenticator, a LAN port enforces authentication before it allows user access to the services that can be accessed through that port.
- In the role of supplicant, a LAN port requests access to the services that can be accessed through the authenticator's port.
An authentication server, which can either be a separate entity or co-located with the authenticator, checks the supplicant's credentials on behalf of the authenticator. The authentication server then responds to the authenticator, indicating whether the supplicant is authorized to access the authenticator's services.
The authenticator's port-based network access control defines two logical access points to the LAN, through one physical LAN port.
- The first logical access point, the uncontrolled port, allows data exchange between the authenticator and other computers on the LAN, regardless of the computer's authorization state.
- The second logical access point, the controlled port, allows data exchange between an authenticated LAN user and the authenticator.
IEEE 802.1x uses standard security protocols, such as Remote Authentication Dial-In User Service (RADIUS), to provide centralized user identification, authentication, dynamic key management, and accounting.
For information about designing an IEEE 802.11 network adapter, see this Microsoft Web site.
The strongest forms of security on Wi-Fi networks incorporate 802.1x authentication and use either EAP-TLS, which provides security based on certificates or smart cards, or PEAP, which provides password-based security. This software platform supports both standards. EAP-TLS is considered the strongest form of security available for Wi-Fi networks.
See Also
Concepts
Wireless Network Client Configuration
802.1x Deployment Issues
802.11 Overview