IEEE 802.1X Authentication Definition
802.1X authentication is an IEEE standard for port-based network access control (PNAC). It is a protocol that enables users and/or devices to be uniquely identified before accessing the network and being given authorized levels of access to a local area network (LAN) or wireless area network (WLAN).
802.1X authentication ensures devices interfacing with the system are what they claim to be, blocking supplicant traffic (clients) at an interface until credentials are presented to an authentication server, or RADIUS server, and authorized.
In this guide, we’ll discuss how to deploy 802.1X, what it’s used for, and explain why 802.1X is still vital to securing modern organization networks.
What Are the Main Components of IEEE 802.1X?
There are three main components of IEEE 802.1X authentication:
1. Supplicant: The Client User
A supplicant is a part of a device seeking access to an 802.1X network. The supplicant initiates authentication by sending Extensible Authentication Protocol over LAN (EAPOL) messages to the authenticator, collecting the user credentials in a way that satisfies 802.1X.
2. Authenticator: The Access Point
An authenticator detects when a supplicant seeks access to the network. The authenticator controls the network port and relays authentication messages between the client and the authentication server. Ethernet switches, network access servers, and wireless access points all serve as authenticators.
3. Authentication Server: The RADIUS Gateway
Authentication servers, or a Remote Authentication Dial-in User Service (RADIUS) server, receives and responds to access requests. If authentication succeeds, the authenticator changes the port state from unauthorized to authorized, allowing normal network traffic.
Why Does 802.1X Need a RADIUS Server?
802.1X needs a RADIUS server (also known as an AAA server) because there needs to be a dedicated server to verify credentials. The server checks the directory of authorized users to confirm whether the client has permission to access the network and passes that information back to the controller/access point.
Without a RADIUS server, authentication would have to occur at the access point (this would require some pretty powerful APs), such as in the case of Pre-Shared Key authentication. It’s much more secure than using a single password to gate network access and is widely considered ideal for both wired and wireless network security.
What Is 802.1X EAP Security?
The standard authentication protocol used on encrypted networks is Extensible Authentication Protocol (EAP), which protects credentials transmitted over-the-air from client to server through a tunnel. 802.1X is the standard that is used for passing EAP over wired and wireless Local Area Networks (LAN).
The EAP protocol can be configured for credential (EAP-TTLS/PAP and PEAP-MSCHAPv2) and digital certificate (EAP-TLS) authentication. Not all EAP tunnels are equal, though, and Man-in-the-Middle (MITM) attacks can easily intercept usernames and passwords sent over-the-air if weaker protocols are used.
| WPA2 & WPA3 Enterprise Common Protocols | Level of Encryption | Authentication Speed | Directory Support | Credentials |
|---|---|---|---|---|
| EAP-TLS | Public-Private Key Cryptography | Fast – 12 steps | Universal | Passwordless |
| PEAP-MSCHA Pv2 | Bad encryption (MD4, compromised since 1995) | Slow – 22 steps | Active directory | Passwords |
| EAP-TTLS/PAP | Vulnerable – Protects credentials by passing the PAP authentication exchange through an encrypted TLS tunnel | Slowest – 25 steps | Active directory | Passwords |
How Does 802.1X Authentication Work?
802.1X authentication only gives devices access to the protected side of a network after authenticating them. It does so by opening ports for network access once the RADIUS server verifies the device identity. The RADIUS server communicates with the organization’s directory to verify identities, typically using LDAP or secure APIs; while SAML and OAuth are not used for the authentication request itself, they are essential during the initial onboarding process to securely issue certificates to users.
The 802.1X authentication process takes four steps: initialization, initiation, negotiation and authentication.
- Initialization: The initialization step starts when the authenticator detects a new device and attempts to establish a connection. The authenticator port is set to an “unauthorized” state, meaning that only 802.1X traffic will be accepted and every other connection will be dropped.
- Initiation: The client typically begins authentication by sending an EAPOL-Start message, after which the authenticator sends an EAP-Request/Identity message. The response usually contains a way to identify the new device. The authenticator receives the EAP response and relays it to the authentication server in a RADIUS access request packet.
- Negotiation: Once the authentication server receives the request packet, it will respond with a RADIUS access challenge packet containing the approved EAP authentication method for the device. The authenticator will then pass on the challenge packet to the device to be authenticated.
- Authentication: Once the EAP method is configured on the device, the authentication server completes the EAP authentication exchange and sends either a RADIUS Access-Accept or Access-Reject message. Once the process is complete, the port will be set to “authorized” and the device is configured to the 802.1X network.
While not part of the core authentication process, RADIUS servers are often called AAA (authentication, authorization, accounting) servers because they also handle accounting. 802.1X RADIUS accounting involves recording the information of devices that are authenticated to the 802.1X network and the session duration. The device information, usually the MAC address and port number, is sent in a packet to the accounting server when the session begins. The server will also receive a message signaling the end of the session.
Once a device successfully authenticates via 802.1X, the network can apply fine-grained policies. Two common ways to enhance segmentation and handle edge cases are Virtual Local Area Networks (VLANs) for logical separation and fallback mechanisms like MAC-based authentication for devices that don’t support full 802.1X.
Virtual Local Area Networks (VLAN)
A VLAN is a method of configuring your network to emulate a LAN with all of the management and security benefits it provides.
Basically, VLANs are segmenting your network to organize the security rules found on a network. For example, the Open/Guest network is usually put in a different VLAN than the secure network. This helps to make sure that devices and network resources that are on one VLAN aren’t affected if anything bad happened on a separate VLAN.
Digital certificates make VLAN assignment a snap because attributes can be encoded into the certificate that the RADIUS uses to authenticate. You could even set up a policy so that anyone with the email domain “it.company.com” would be automatically assigned a different VLAN segment than “sales.company.com”.
While 802.1X with EAP is the standard for secure authentication, not every device supports it. In those cases, organizations often layer on simpler (but less secure) mechanisms such as MAC authentication and MAC bypass.
MAC Authentication
MAC authentication, or MAC address authentication, is a simple security measure in which you create a list of approved MAC addresses that are allowed network access.
Unfortunately, it’s not difficult to spoof MAC addresses, so MAC authentication is typically only used to supplement 802.1x authentication in enterprise environments. It can be really helpful to support types of devices that either do not support 802.1X completely or have a difficult time doing so.
MAC Bypass
MAC-based RADIUS authentication is also known as MAC bypass, or sometimes MAC address bypass. The most common use case of MAC bypass is to tie-in devices that don’t support 802.1X (such as game consoles, printers, etc.) to your network. However, it’s still vulnerable, so it should be in a separate VLAN.
Benefits of Moving to 802.1X
There are three main benefits of making the switch to 802.1X: increased network security, simplified wireless connectivity, and compliance with regulatory standards.
Increased Network Security With 802.1X and Certificates
802.1X requires individual users and devices to each have their own set of credentials to log in with, giving network administrators much more control and enhanced visibility over who’s logging in.
However, 802.1X is even more secure when you tie it to digital certificates. Digital certificates can show you so much more information than just the username, including the operating system, MDM (if applicable), role, location, and user email address.
Simplified Wired & Wireless Connectivity
802.1X can make connecting to your network even simpler for your end users. This might seem counterintuitive; generally, when you make things more secure, you require more from your end users, resulting in a more complicated login process.
However, 802.1X can actually make things easier. Separate logins for each individual user and device mean that when there’s a password change for any one of them, it only applies to that individual. However, if you’re using PSK – a single password for the entire network – changing the password means disconnecting all devices on that network.
Things get even easier when you add certificate-based authentication to the mix. You no longer have to require specific, complex password requirements for network access. Users can connect just by using their certificates, which can be tied to your MDM or Identity Provider (IdP).
Furthermore, because certificates can be encoded with information from your IdP, they can be used to apply access policies automatically. For example, you could have users from different departments automatically segmented into their own VLANs when they authenticate to your network.
Meeting Regulatory Requirements
Standards are rising across the board for enterprises in light of the increasing complexity of cyberattacks. One example is the National Institute of Standards and Technology’s (NIST’s) Requirement 3.5.2, which states that organizations must verify the identities of both users and devices prior to granting them access to systems.
Usernames and passwords alone make this impossible. They can be easily stolen, and even if they’re not, users may sometimes share them with others. Moving to 802.1X (especially with certificates) helps enterprises to meet tightened regulatory guidelines like those provided by NIST.
What Is 802.1X Authentication Used For?
802.1X is used for secure network authentication. If you are an organization dealing with valuable and sensitive information, you need a secure method of transporting data. 802.1X authentication achieves this by enabling much more secure mechanisms for validating the users/devices requesting network access. Historically, it was used by large organizations such as enterprises, universities, and hospitals, but is rapidly becoming adopted by organizations of all sizes because of the growing cybersecurity threats.
Many organizations are legally required to use 802.1X. NIST SP 800-171 3.5.2 requires any organization that does federal research to ensure identity verification for users and devices so that only trusted devices use the network. 802.1X with EAP-TLS is the industry-best method to satisfy this. K-12 schools rely on it to keep students and staff on separate networks so they can filter internet content available to students, a requirement for receiving funding from the government.
WPA2-Enterprise uses 802.1X and EAP to authenticate users and devices on Wi-Fi networks. In contrast, the Pre-Shared Key (PSK) network security most often used at home is referred to as WPA2-Personal. WPA2-Personal is not sufficient for any organization dealing with sensitive information and can put organizations at serious risk for cybercrimes.
To learn more about how solutions from SecureW2 simplify compliance and harden security, schedule a demo.
How Secure is 802.1X Authentication?
When used correctly, 802.1X authentication is widely considered one of the most secure approaches to network authentication. It can prevent over-the-air credential theft attacks like Man-in-the-Middle attacks and Evil Twin proxies. It is much more secure than WPA2 or even WPA3 Pre-Shared Key networks, which are typically used in personal networks.
However, 802.1X security can vary greatly depending on two factors:
- Configuration: The first variable occurs if end users are left to manually configure their devices. The configuration process requires high-level IT knowledge to understand, and if one step is incorrect, they are left vulnerable to credential theft. We highly recommend using dedicated 802.1X onboarding software instead.
- Credential-based authentication vs. certificate-based authentication: Certificate-based EAP-TLS significantly reduces an organization’s risk for credential theft and is the most secure way to use 802.1X. Not only does it stop credentials from being sent over the air where they can be easily stolen, but it forces users to go through an enrollment/onboarding process that ensures their devices are configured correctly.
Common Myths About 802.1X
Myth #1: 802.1X Is Only for Wireless Networks
802.1X is just as relevant for wired networks as wireless ones. Relying on credentials for authentication at all can leave you vulnerable no matter which type of network you’re using, because those credentials can be shared or easily stolen.
By configuring 802.1X with your ethernet ports, any device that plugs in a cable will be prompted for an 802.1X network profile. This allows organizations to leave ethernet cables out for wired network access, without being worried that an attacker might abuse them.
Myth #2: Credentials/MAC Addresses Are Enough to Identify Devices
Even if your organization doesn’t have a BYOD policy, usernames and passwords aren’t locked to specific devices. Anyone can use them as long as they know what they are. Sure, 802.1X improves your network security, but even a RADIUS server can’t give administrators any real certainty about the people and devices accessing your network if you’re using passwords.
Another common argument is that if you gate network access by MAC address, only allowing specific MAC addresses on the network, then that’s enough. The issue with this is that many devices will report a randomized MAC address every time they connect to a network to prevent tracking a user across different networks. While this supports end-user privacy, it means that administrators can’t rely on MAC address authentication alone.
The solution to this challenge is digital certificates. Digital certificates, unlike passwords, are issued uniquely to a device’s hardware (TPM/Secure Enclave) and can be configured to be non-exportable. They cannot be transferred or shared, giving administrators much more certainty over the people on the network. Certificates also contain detailed templates that can provide organizations with much more information about individual users, including their operating system, their MDM, their location, etc.
Myth #3: Network Security Doesn’t Matter If All Your Resources Are in the Cloud
Network security still matters even in a world that’s increasingly cloud-based. There are a number of attacks hackers can conduct once they’ve penetrated your network, such as Address Resolution Protocol (ARP) attacks, Spanning Tree Protocol (STP) attacks, and more. Once a malicious actor has gained access to your network, they can also easily harvest credentials where you use them and leverage those for access to sensitive resources.
Three Reasons Enterprises Are Moving to 802.1X
High-Profile Attacks Have Raised Awareness of Network Security
Every other day, we’re faced with news of another data breach or an organization being targeted by hackers.
One of the most unquantifiable results of these attacks is the significant loss of reputation faced by the organizations that were breached. Prospective customers lose trust in organizations that don’t have the ability to protect their sensitive information from cybercriminals.
Increased network security and maintaining prospective customer trust continue to be the top reason we see customers deploying 802.1X.
Decrease in Support for Network Policy Server (NPS), Rise in Credential Guard Standards
Windows Credential Guard can protect sensitive user credentials on Windows devices through hashes and various hardware security mechanisms. Wider use of Windows Credential Guard, along with a steadily decreasing support for NPS, makes the very common legacy setup of NPS, Active Directory, and PEAP-MSCHAPv2 a bad end-user experience and require a significant amount of work to manage day-to-day.
In an increasingly cloud-based world where organizations are moving critical infrastructure, such as their identity management, to the cloud, it’s vital that their RADIUS also supports cloud functionality.
For years, one issue we’ve heard from many customers is that they want to move much of their infrastructure to the cloud. If you’re using Azure AD/Entra ID, this means you can’t stick with legacy solutions like NPS anymore for 802.1X – you need a cloud-based RADIUS server such as Cloud RADIUS. Schedule a demo to see the SecureW2 Cloud RADIUS in action.
Awareness of Cloud and Managed Alternatives to Traditionally On-Premises Solutions Is Growing
Increasingly, administrators and security professionals understand that RADIUS and public key infrastructure (PKI) don’t need to be handled on-premises. In fact, it’s generally easier, less costly, and less time-consuming to use managed services.
We’ve heard a recurring sentiment that the more a security professional knows about PKI, the less they want to handle it themselves. And little wonder – this research by Spectre Ops shows just how challenging managing it on your own can be.
Let Us Help You With 802.1X Authentication
The security of your network is the security of your organization. You wouldn’t leave your front door unlocked, so why would you leave your network unsecured?
Implementing 802.1X is vital to wired and wireless network security but relying on passwords still leaves you vulnerable. The most secure iteration of 802.1X is certificate-driven, which ties device trust directly into your network authentication.
SecureW2 is trusted by some of the biggest companies in the world and is the top-rated solution in many categories on G2 to provide the highest level of security and peace of mind. We engineered our managed PKI and Cloud RADIUS services to complement each other, giving organizations everything they need in one place to make the move to passwordless 802.1X. We offer the #1-rated 802.1x BYOD onboarding solution in the industry and have a wide variety of APIs to completely automate certificate lifecycle management for managed devices.
Contact us today, or request a free demo here!