What Is 802.1X - How Does It Work
What Is 802.1X - How Does It Work
What Is 802.1X - How Does It Work
Why Contact
Solutions Products Customers Blogs Login Check our Prices
SecureW2? Us
Contents
I. Client / Supplicant
II. Switch / Access Point / Controller
III. RADIUS Server
IV. Why does 802.1X need a RADIUS server?
V. Identity Store / Directory
An 802.1X network is different from home networks in one major way; it has an authentication server called a
RADIUS Server. It
checks a user's credentials to see if they are an active member of the organization and,
depending on the network policies, grants
users varying levels of access to the network. This allows unique
credentials or certificates to be used per user, eliminating the
reliance on a single network password that
can be easily stolen.
KEY TAKEAWAYS
802.1X is an authentication protocol to allow access to networks with the use of a RADIUS server.
802.1X and RADIUS based security is considered the gold standard to secure wireless and wired networks
today.
https://www.securew2.com/solutions/802-1x 2/13
22/06/2022, 16:42 What is 802.1X? How Does it Work?
802.1X is a network authentication protocol that opens ports for network access when an organization
authenticates a user's
identity and authorizes them for access to the network. The user's identity is
determined based on their credentials or certificate,
which is confirmed by the RADIUS server. The RADIUS
server is able to do this by communicating with the organization's directory,
typically over the LDAP or SAML
protocol.
KEY TAKEAWAYS
802.1X gives the device access to the protected side of the network after authentication.
The EAP protocol can be configured for credential (EAP-TTLS/PAP and PEAP-MSCHAPv2) and digital certificate
(EAP-TLS)
authentication and is a highly secure method for protecting the authentication process.
KEY TAKEAWAYS
EAP is the tunnel that transfers a user’s identifying information from client to server.
Not all EAP Tunnels are created the same, man-in-the-middle attacks are easier to perform
with username/password
https://www.securew2.com/solutions/802-1x 3/13
22/06/2022, 16:42 What is 802.1X? How Does it Work?
802.1X is used for secure network authentication. If you are an organization dealing with valuable and
sensitive information, you
need a secure method of transporting data. 802.1X is used so devices can
communicate securely with access points (enterprise-
grade routers). It was historically only used by large
organizations like enterprises, universities, and hospitals, but is rapidly
becoming adopted by smaller
businesses because of the growing threats in cyber security.
802.1X is often referred to as WPA2-Enterprise. In contrast, the Pre-Shared Key network security most often
used at home is
referred to as WPA2-Personal. WPA2-Personal is not
sufficient for any organization dealing with sensitive information and can put
organizations at serious
risk for cyber crimes.
KEY TAKEAWAYS
Used to secure connections to wired and wireless networks via rotating key security and avoiding
Open/Un-Encrypted or
static key (PSK) connections
802.1X is used in corporate and campus settings where users get authorized or removed from network
access as they
enter and leave the organization
That being said, most security and networking professionals use the term 802.1X for both wired and wireless
networks if they are
using WPA2-Enterprise security.
The primary difference is instead of establishing a secure connection with a wireless switch, your device
must be Ethernet
connected and authenticate to an 802.1X-capable switch. The device and RADIUS server
establish trust over the wired connection
and if the user is recognized, they will be authorized for secure
network use.
However, 802.1X security can vary greatly depending on two factors. The first variable occurs if end users
are left to manually
configure their devices. The configuration process requires high-level IT knowledge to
understand and if one step is incorrect, they
are left vulnerable to credential theft. We highly recommend
using dedicated 802.1X onboarding software instead.
https://www.securew2.com/solutions/802-1x 4/13
22/06/2022, 16:42 What is 802.1X? How Does it Work?
KEY TAKEAWAYS
One of the most secure protocols for network authentication, trumping WPA2/3-PSK and Open/Unencrypted
connections
Is 802.1X Encrypted?
Yes, 802.1X is encrypted.
802.1X WPA is generally reserved for personal networks, such as your home Wi-Fi, and runs on RC4-based TKIP
(Temporal Key
Integrity Protocol) encryption. It's less secure than WPA2, but usually sufficient for home use.
802.1X WPA2 could utilize TKIP, but generally chooses AES (Advanced Encryption Standard), which is the most
secure standard
available. It is a little more difficult and costly to set up however, so it's used in
higher-stake environments like businesses.
There are just a few components that are needed to make 802.1X work. Realistically, if you
already have access points and some
spare server space, you possess all the hardware needed to make secure
wireless happen. Sometimes you don't even need the
server; some access points come with built-in software that
can operate 802.1X (though only for the smallest of small
deployments).
Regardless of whether you purchase professional solutions or build one yourself from open source tools, the
quality and ease of
802.1X is entirely a design aspect.
KEY TAKEAWAYS
802.1X only includes four major components: client, access-point/switch, RADIUS server, and identity
provider
Client / Supplicant
In order for a device to participate in the 802.1X authentication, it must have a piece of software called a
supplicant installed in the
network stack.
We use The supplicant
cookies is necessary
to provide the as it will participate
best user experience possible on in
ourthe initial
negotiation
website. of the
If you would like EAPmore
to learn transaction with the
click here. switch or
Accept
https://www.securew2.com/solutions/802-1x 5/13
22/06/2022, 16:42 What is 802.1X? How Does it Work?
Fortunately, almost all devices we might expect to connect to a wireless network have a supplicant built-in.
SecureW2 provides an
802.1X supplicant for devices that don't have one natively.
Thankfully, the vast majority of device manufacturers have built-in support for 802.1X. The most common
exceptions to this might
be consumer gear, such as game consoles, entertainment devices or some printers.
Generally speaking, these devices should be
less than 10% of the devices on your network and are best treated
as the exception rather than the focus.
KEY TAKEAWAYS
Software on the device that contains the configuration and connection data (certificates/credentials)
which is sent to the
access-point/switch
Most OSs for going back 10-15 years have 802.1X support, IoT.support is lacking but catching up
The switch/controller initiates the exchange by sending an EAPOL-Start packet to the client when the client
connects to the
network. The client's responses are forwarded to the correct RADIUS server based on the
configuration in the Wireless Security
Settings. When the authentication is complete, the switch/controller
makes a decision whether to authorize the device for network
access based on the user's status and possibly
the attributes contained in the Access_Accept packet sent from the RADIUS server.
If the RADIUS server sends an Access_Accept packet as a result of an authentication, it may contain certain
attributes that provide
the switch with information on how to connect the device on the network. Common
attributes will specify which VLAN to assign a
user to, or possibly a set of ACLs (Access Control Lists) the
user should be given once connected. This is commonly called 'User
Based Policy Assignment' as the RADIUS
server is making the decision based on user credentials. Common use cases would be to
push guest users to a
'Guest VLAN' and employees to an 'Employee VLAN'.
KEY TAKEAWAYS
These devices facilitate communication between the device and the RADIUS server.
The access-point/switch is where you configure the network to use 802.1X instead of
Open/Unencrypted or WPA2/3-PSK.
Act as enforcement points when RADIUS servers return precise access control policy
RADIUS Server
The RADIUS server acts as the
“security guard” of the network; as users connect to the network, the RADIUS authenticates their
identity and
authorizes them for network use. A user becomes authorized for network access after enrolling for a
certificate from
the PKI (Private Key Infrastructure) or confirming their credentials. Each time the user
connects, the RADIUS confirms they have the
correct
Wecertificate
use cookiesor to
credentials
provide theand prevents
best any unapproved
users
user experience possible on our from accessing
website. the network.
If you would like to learn more click here. Accept
https://www.securew2.com/solutions/802-1x 6/13
22/06/2022, 16:42 What is 802.1X? How Does it Work?
A key security mechanism to employ when using a RADIUS is server certificate validation.
This guarantees that the user only
connects to the network they intend to by configuring their device to
confirm the identity of the RADIUS by checking the server
certificate. If the certificate is not the one which
the device is looking for, it will not send a certificate or credentials for
authentication. This prevents
users from falling victim to an Evil Twin proxy attack.
RADIUS servers can also be used to authenticate users from a different organization. Solutions like Eduroam use RADIUS servers
as proxies (such as
RADSEC). If a student visits a neighboring university, the RADIUS server can authenticate their status at
their
home university and grant them secure network access at the university they are currently visiting.
KEY TAKEAWAYS
RADIUS Servers are the decision points for devices requesting access to of the protected side of network
RADIUS Servers interact with identity providers to authenticate, authorize and report connections
SecureW2 can help you set up SAML to authenticate users on any Identity Provider for Wi-Fi access. Here are
guides to integrating
with some popular products.
Developing a robust WPA2-Enterprise network requires additional tasks, such as setting up a PKI or CA
(Certificate Authority) and
seamlessly distributing certificates to users. But contrary to what you might
think, you can make any of these upgrades without
buying new hardware or making changes to the infrastructure.
For example, rolling out guest access or changing the authentication
method can be accomplished without
additional infrastructure.
Recently, many institutions have been switching EAP methods from PEAP to EAP-TLS after seeing noticeable
improvement in
connection time and roaming ability. Improving the functionality of wireless networks can be
gained without changing a single
piece of hardware.
We use cookies to provide the best user experience possible on our website. If you would like to learn more click here. Accept
https://www.securew2.com/solutions/802-1x 7/13
22/06/2022, 16:42 What is 802.1X? How Does it Work?
KEY TAKEAWAYS
802.1X traditionally requires a directory (on-prem or cloud) so the RADIUS can communicate to identify
each user and
what level of access they are allowed.
Directories use username/passwords which makes them vulnerable to major security issues
Newer cloud identity providers (Azure AD, Okta, Google) can interact with next-gen RADIUS to
do passwordless identity
authorization.
1. Initialization
The Initialization step starts when the authenticator detects a new device and attempts to establish a
connection. The
authenticator port is set to an “unauthorized” state, meaning that only 802.1X traffic will
be accepted and every other
connection will be dropped.
2. Initiation
The authenticator starts transmitting EAP-Requests to the new device, which then sends EAP responses back to
the
authenticator. The response usually contains a way to identify the new device. The authenticator
received the EAP response
and relays it to the authentication server in a RADIUS access request packet.
3. Negotiation
Once the authentication server receives the request packet, it will respond with a RADIUS access challenge
packet containing
the approved EAP authentication method for the device. The authenticator will then pass on
the challenge packet to the device
to be authenticated.
4. Authentication
Once the EAP method is configured on the device, the authentication server will begin sending configuration
profiles so the
device will be authenticated. Once the process is complete, the port will be set to
“authorized” and the device is configured to
the 802.1X network.
KEY TAKEAWAYS
Typically 802.1X authentication begins with the client requesting access, the RADIUS server verifying
the user against the
identity provider, and the access-point/switch allowing access
802.1X authentication works best via certificate because both the user and device context is taken
authentication to
prevent over-the-air credential theft.
We use cookies to provide the best user experience possible on our website. If you would like to learn more click here. Accept
https://www.securew2.com/solutions/802-1x 8/13
22/06/2022, 16:42 What is 802.1X? How Does it Work?
While this isn't part of the 802.1X authentication process, we get a lot of questions about accounting, as
RADIUS Servers are often
referred to as AAA (Authentication, Authorization, Accounting) servers.
VLAN
A VLAN, or Virtual Local Area Network, is a method of configuring your network to emulate a LAN with all of
the management and
security benefits it provides.
Basically, VLANs are segmenting your network to organize the security rules found on a network. For example,
the Open/Guest
network is usually put in a different VLAN than the secure network. This helps to make sure
that devices and network resources
that are on one VLAN aren't affected if anything bad happened on a seperate
VLAN.
Digital certificates make VLAN assignment a snap because attributes can be encoded into the certificate that
the RADIUS uses to
authenticate. You could set up a policy so that anyone with the email domain
“it.company.com” would be automatically assigned a
different VLAN segment than “sales.company.com”.
MAC Authentication
MAC authentication, or MAC address authentication, is a simple security measure in which you create a list of
approved MAC
addresses that are allowed network access..
Unfortunately, it's not difficult to spoof MAC addresses, so MAC authentication is rarely deployed on
enterprise levels.
MAC RADIUS
MAC RADIUS is a form of MAC Authentication. Instead of using a credential or a certificate to authorize a
device, the RADIUS
confirms the MAC address and authenticates.
MAC Bypass
The primary use of MAC Bypass is to tie-in devices that don't support 802.1X (like game consoles, printers,
etc.) to your network.
However, it's still vulnerable, so it should be in a separate VLAN.
Manually configuring a Windows device requires the user to set up a new wireless network, enter a network
name, set the security
type, adjust network settings, set the authentication method, and many more steps.
While it's certainly possible to complete this
process accurately, it is highly complex and much more
difficult than an onboarding software designed for efficiency.
The process for configuring Windows OS with SecureW2 requires the user to connect the onboarding SSID and
open an internet
browser. The user is sent to SecureW2's
JoinNow onboarding software. After clicking JoinNow, a graphic will indicate the progress
of the
configuration. The user will then be prompted to enter their credentials and the device will be authenticated
and equipped
with a certificate.
We use cookies to provide the best user experience possible on our website. If you would like to learn more click here. Accept
https://www.securew2.com/solutions/802-1x 9/13
22/06/2022, 16:42 What is 802.1X? How Does it Work?
In order to manually configure macOS, the end user needs to know how to create an enterprise profile, install
a client security
certificate, verify the certificate, and adjust the network settings. The process isn't too
difficult for someone with a background in IT,
but it is risky for the average network user because of the
high-level technical information involved with each step.
Downloading the SecureW2 JoinNow Suite for macOS enables automation so end users are not required to complete
the process.
The setup is similar to Windows OS; the end user starts by connecting to the onboarding
SSID and opens a browser. After
downloading the .DMG file and entering their credentials, the
configuration process begins. The entire
configuration
and
authentication requires only a few steps, allowing the end user to sit back while the device
configures.
Configuring manually via Wi-Fi settings requires you to create a network profile, configure Server
Certificate Validation (which
requires uploading the CA used on the RADIUS Server and the common name), and
configuring the authentication method. If you
use device onboarding software, all these steps are done by an
application that can be downloaded from the Play Store that will
configure your organization's network
settings for you.
Manual configuration means you need to create a network profile in the Wi-Fi settings and configure Server
Certificate validation
and the authentication method. The process is much simpler with onboarding software
because SecureW2 can push a mobile
config file to an iPhone device and configure the network settings
automatically.
The manual configuration is relatively simple. Open up Network Manager, select Edit Connections, find your
access point and click
Edit. A new window will open up, choose the tab that says 802.1X settings and input the
information of your network.
For one device, this is a straightforward process. If you need to onboard many devices (and users), you need
SecureW2's automatic
device onboarding software. Click here to learn more.
KEY TAKEAWAYS
802.1X settings can include SSID, EAP-type, Auth protocols, certificate/certificate and server
certificate validation which
trusts the authentic RADIUS server (vs. Evil twin)
Auto-configuration via onboarding software or MDM or manual configuration are the options.
802.1X vs WPA2-Enterprise
We use cookies to provide the best user experience possible on our website. If you would like to learn more click here. Accept
https://www.securew2.com/solutions/802-1x 10/13
22/06/2022, 16:42 What is 802.1X? How Does it Work?
802.1X is an IEEE standard framework for encrypting and authenticating a user who is trying to associate to a
wired or wireless
network. WPA-Enterprise uses TKIP with RC4 encryption, while WPA2-Enterprise adds AES
encryption.
Vulnerabilities in 802.1X
No security protocol is invulnerable, and 802.1X is not an exception.
Wireless 802.1X's most common configurations are WPA-PSK (pre-shared key, also called WPA-Personal) and WPA
or WPA2
Enterprise.
PSK is the simplest and the most vulnerable. A password is configured on the access point and distributed to
users of the network.
It's intended for personal use, mostly in homes. It's easily cracked with a
run-of-the-mill brute force attack, and is also susceptible to
all other common attacks.
Enterprise-level wireless networks are typically not compromised by brute force attacks because their network
administrator will
have mandated complex passwords and reset policies. Particular vulnerabilities vary
depending on the authentication standard
used by the enterprise network.
PEAP MSCHAPv2 was once the industry standard for WPA2-Enterprise networks, but it's been cracked. There are still many
organizations
using this standard, despite the inherent vulnerabilities to over-the-air attacks.
EAP-TTLS/PAP is another common standard that is also very vulnerable to over-the-air attacks. It's
particularly weak because
credentials are sent in clear text, so it's a simple matter for hackers to intercept
and steal. Further exacerbating the problem is the
rising popularity of Cloud RADIUS servers. Many of them
only support EAP-TTLS/PAP, so end users are forced to send their
credentials in clear text over the internet.
The strongest WPA2-Enterprise standard is EAP-TLS. It relies on the asymmetrical cryptography of digital
certificates for
authentication, which renders it immune to over-the-air attacks. Even if a hacker intercepts
the traffic, they will only harvest one half
of the public-private key pair – which is useless without the
other half.
KEY TAKEAWAYS
Leaving 802.1X configuration to the end user risks misconfiguration and security compromise.
Trusting the right RADIUS Server vs. an evil twin is very important but not mandatory in 802.1X
so ensure certificate
validation is always enabled.
SecureW2 is trusted by some of the biggest companies in the world to provide the highest level of security
and peace of mind. Our
software solutions can be integrated seamlessly into your current network
infrastructure or stand on their own as a fully-managed
network security service.
We use cookies to provide the best user experience possible on our website. If you would like to learn more click here. Accept
https://www.securew2.com/solutions/802-1x 11/13
22/06/2022, 16:42 What is 802.1X? How Does it Work?
We have affordable options for organizations of any size. Check out our pricing to
learn more.
KEY TAKEAWAYS
Make RADIUS connection decisions based on both user and device information
Consider a cloud-native RADIUS solution that integrates with cloud identities without
password based LDAP
TECHNOLOGY SOLUTIONS
RADIUS AAA
VERTICAL SOLUTIONS
For Enterprise
For SMB
For K12
PRODUCTS
JoinNow MultiOS
JoinNow NetAuth
RESOURCES
We use cookies to provide the best user experience possible on our website. If you would like to learn more click here. Accept
https://www.securew2.com/solutions/802-1x 12/13
22/06/2022, 16:42 What is 802.1X? How Does it Work?
PKI Explained
PEAP-MSCHAPv2 Vulnerability
Pitfalls of EAP-TTLS-PAP
CONTACT US
+1 888 363-3824
+1 512 900-5515
SUPPORT
Log In
Careers
PARTNERS
All logos and trademarks are the property of their respective owners.
2022 SecureW2
Privacy Policy
We use cookies to provide the best user experience possible on our website. If you would like to learn more click here. Accept
https://www.securew2.com/solutions/802-1x 13/13