In this post we want to cover the basics of how 802.1X starts a session and authenticates a client. While we can see the basics in the above graphic, let’s begin with some terminology so that we are on the same page as I walk through the process.
- Authenticator: A Switch or Wireless LAN Controller that is acting as in intermediary for 802.1X authentication.
- Supplicant: A Client Device
- Authentication Server: A server that authenticates users for 802.1X authentication processes. One example is the Cisco Identity Services Engine (ISE).
- EAP: Extensible Authentication Protocol used in 802.1X authentications.
The Basic Authentication
802.1X authentication can be initiated by either the client device, the switch or the WLC. The authenticator initiates the authentication when the link state changes from down to up, as in the case of a switch, or periodically as long as the port remains up. For purposes of this example the authenticator will be a switch. The switch sends an EAP request frame to the client to request its identity. When the client gets this frame, it responds with an EAP response providing identity information.
But lets say the client boots up and is configured for 802.1X, but it doesn’t see a EAP request from the switch. In this case the client can send an EAPOL start frame. This will prompt the switch to request the identity of the client. By the same token, if the switch is not configured for 802.1X it would just drop the EAPOL frames from the client and after three attempts the client acts as if the port is authorized.
Once the supplicant provides its identity, the switch, acting as the authenticator, sends the EAP frame to the authentication server. This is done in a RADIUS message called an access-request. If a RADIUS access-accept message is returned by the authentication server then the switch will authorize the port. If an access-reject message is returned the port will not be authorized.
That’s the basics of the 802.1X authentication process. Specifics of the EAP exchange vary depending on the EAP type selected in your implementation, but overall, this is how it works.
You can learn more about how 802.1X works in the new CCNP course SISAS: Implementing Cisco Secure Access Solutions, or in the course SISE – Implementing and Configuring Cisco Identity Services Engine v1.1
Already a member? Log in to access the bonus content.
[s3bubbleAudioSingle bucket=”audio.globalconfig.net” track=”802.1xBASIC.mp3″ autoplay=”false”]