If you’re investigating things like enterprise WPA and/or NAC based network control you’ll probably run into the fact that it uses 802.1x protocol. So what is 802.1x?
Basically the long and short of it is IEEE 802.1x is just a protocol to pass EAP over wired/wireless LANs. EAP on the other hand is just a protocol to take the AP/RAS/switch/router out of the stream of authentication. It is a way of tunneling the authentication request to a Radius server and let the two figure out the authentication without the AP/RAS/switch/router having to handle it.
A good primer on the subject is here:
Incidentally the user unfriendly term “supplicant” will often come up. Much as it sounds like something fancy, it isn’t. In most regards it just means the client you’re trying to connect to the network, however more officially it’s the process(es) on the client taking care of the 802.1x authentication. The client runs the supplicant to authenticate, to quote:
The wireless node that requests authentication is often called Supplicant, although it is more correct to say that the wireless node contains a Supplicant. The Supplicant is responsible for responding to Authenticator data that will establish its credentials. The same goes for the access point; the Authenticator is not the access point. Rather, the access point contains an Authenticator. The Authenticator does not even need to be in the access point; it can be an external component.
So ultimately the “supplicant” is really a program running on the client. Also see:
which also is a useful document.
As a final note, often the EAP passed in the 802.1x conversation is encapsulated in what’s called “PEAP” (yes, all of the acronyms are a pain!). Essentially PEAP is a public key based method of encrypting the EAP payload via SSL/TLS, thus protecting the authentication from prying eyes.
Leave a Reply