802.1X Network Access Control

802.1X, colloquially called Dot1x, a working group within the 802 project of the IEEE for standards in local area networks (LAN). The focus of this working group is on port-based authentication and authorization in 802-based networks.

Table of contents

Where and for what can I use the 802.1X standard?

The 802.1X standard is used in both classic wired and wireless networks. The standard aims to keep unwanted users and devices out of the network. Therefore Dot1x is a useful addition to network separation.

802.1X not only controls where and when "wanted" users can access your network, but also whether "unwanted devices" get any form of access at all.

For example: no access to the internal network, but access to the Internet or a network filled with honeypots.

Authentication, authentication and authorization

Authentication is the proof of one's identity to a third party.

Authentication is the verification of proof of identity.

Authorization is the granting of rights based on the authentication result.

The core components of 802.1X

Basically, authentication via 802.1X consists of three components:

  • The supplicant: a user or device that wishes to authenticate itself in order to gain access to the network.
  • The authenticator: often a switch or WLAN access controller (access point) that requires authentication of the supplicant.
  • The Authentication Server: the AAA server (e.g., RADIUS) that processes the authentication and tells the Authenticator what actions to implement for the Supplicant (for example, assign Access Control Lists (ACLs) and VLANs).

Unfortunately, it should be noted that not every device is Dot1x-capable. Network printers, for example, are often left out and cannot be made 802.1X-capable by free software projects.

To circumvent this problem, some authenticators offer the option of "MAC bypass": The affected device can authenticate itself using its MAC address. However, it must be pointed out that this runs the risk of creating a gateway for an attacker by means of MAC spoofing.

Communication path from the supplicant to the switch to the authentication server.

The EAP framework

The EAP (Extensible Authentication Protocol) is based directly on the data link layer in the OSI layer model. In 802 networks, the abbreviations EAPoL and EAPoW (for LAN and WLAN) are also frequently encountered.

As a framework, EAP offers many different authentication methods that can be used alone or flexibly combined with an authentication server: Starting with the classic user/password authentication (MD5-Challenge) over OTP-Challenges (One-Time-Password) up to TLS and GSM/UMTS Sim cards, but also certificates or Kerberos tickets.


No reaction from the supplicant and the "Fail" action being performed.

Sequence of an 802.1X authentication

The port status of an authenticator determines whether a supplicant is granted access to services on the LAN. The port starts in the unauthorized state. In this state, the port prohibits all incoming and outgoing traffic, except for 802.1x packets.

When the supplicant has been successfully authenticated, the port changes to the authorized state. This normalizes the traffic for the new network subscriber based on the rules and measures that apply to it.

A successful login with EAP/PEAP and the authorization of the port.

Table of contents

Do you want to be part of our team?