802.1x is an IEEE standard that defines how to identify a user and grant a user access to a network. 802.1x is a link layer, or Layer 2, authorization protocol that defines how a user is granted port-based access to a network. 802.1x is composed of three major components: supplicant, authenticator, and authentication server. The supplicant resides on the end-device to identify the user. The authenticator can exist in a Catalyst LAN switch, wireless access point, or router and forwards authentication requests from the supplicant device to the authentication server. The authentication server contains knowledge of the authorized users and the network privileges that should be granted to a user for network access. The Cisco ACS server is an example of an authentication server.
802.1x communication occurs between the supplicant and the authenticator. Communication between the authenticator and authenticator server is in the form of RADIUS records. EAP types are used to communicate between the supplicant and the authentication server. Many EAP types exist for different network scenarios, including one-way authentication (supplicant authenticates to authenticator), two-way authentication (protects supplicant devices against rouge authenticators), support for both wired (Ethernet) and wireless (WiFi) networks, and support for either passwords or digital certificates.
802.1x is a good base for user authentication. Other functionality can complement 802.1x user authentication. 802.1x also supports device or machine authentication. Machine authentication uses Microsoft’s Active Directory, so machine authentication is only supported for Microsoft Windows PCs. Cisco IBNS layers additional functionality on to an 802.1x network, including the ability to bypass authentication based upon MAC address and the WoL feature to activate and reboot an idle computer in order to remotely install software applications, patches, and updates. NAC can also leverage an 802.1x network to provide additional checks of the security posture on the authenticating device to ensure that the device has the proper antivirus, service packs, and hotfix updates to safely join the network. 802.1x is also supported in Cisco’s IOS routers and can implement additional security for remote employees and teleworkers by using 802.1x to allow the employee to safely access the corporate network while allowing other users on the home network to access the Internet without connecting through the corporate network.