Terms: Supplicant - The User or Client to be authenticated Radius Server – The Server doing the authentication Authenticator – The device between the Supplicant & the Radius Server EAPOL – (Extensible Authentication Protocol Over LANs)
How it Works: The Authenticator sends an EAP request packet to the Supplicant. The Supplicant sends an EAP packet to the Authenticator. The Authenticator sends a packet to the Radius Server. The Radius Server challenges the Authenticator with a token or password.
How it Works: continued… The Authenticator changes it from the IP to EAPOL. The Supplicant responds to the challenge and passes it to the Authentication Server. If there’s a successful challenge, then the Authentication Server responds with a success message allowing access to the LAN.
Key Aspects: Supplicant = End station software Authenticator = Wired switch or SSID AuthenticationServer = Ensures certificate or passwords are correct
Benefits: IEEE Standard 98% of all switches support 802.1x Good authentication ‘Pre-connect’ enforcement of access policies
Drawbacks: Incompatibilities with certain switches Some security issues Tough to deploy Does not have a ‘post-connect’