![]() ![]() IEEE 802.1X is a way to do per-user or per-device authentication for wired or wireless Ethernet LANs (and potentially other network schemes in the IEEE 802 family). Long Answer, not so much in layman's terms: Once the connection has been authenticated (and, say, WPA2 AES-CCMP encryption has been set up to protect the rest of your network transmissions), then the controlled port is enabled so that the rest of the system sees that network link as "up". When you first attempt connection to an 802.1X network, only the uncontrolled port is enabled while the 802.1X client does its thing. So the in the weird engineering legalese of IEEE spec documents, it says there's a logical "uncontrolled port" that the 802.1X client software hooks up to, and a "controlled port" that the rest of the network stack hooks up to. Second, the spec mentions that within, say, your wireless client machine, there must be a way for your 802.1X Supplicant software to access your wireless interface in order to send and receive EAP packets to accomplish authentication, even when no other networking software on your system is allowed to use the wireless interface yet (because the network interface isn't trusted until it's been authenticated). This software that performs that role is called a Port Access Entity or PAE by the spec. Within your wireless client or your wireless router you have software that performs the role of the 802.1X Supplicant or Authenticator. To answer your question about two logical port entities, there are two separate concepts in the 802.1X spec that you may be referring to.įirst, the 802.1X spec defines client and server roles for the 802.1X protocol, but it calls them the Supplicant and Authenticator, respectively. If your wireless router's user interface has "802.1X" on a list of encryption types, then it probably means "802.1X with dynamic WEP", which is an old scheme where 802.1X is used for authentication, and per-user per-session WEP keys are dynamically generated as part of the authentication process, and thus WEP is ultimately the encryption method used. Wireless routers that do 802.1X generally don't know how to authenticate users directly, they just know how to gateway between 802.1X and RADIUS so that the wireless client machines are actually getting authenticated by a RADIUS server on the network, and it's the RADIUS server that knows how to deal with various EAP types. RADIUS is a protocol that allows you to keep your username and password database on a central server, so you don't have to make changes on each separate wireless router each time you add or delete a user or a user changes his password or something. But most will probably require you configure RADIUS. Some routers may have the ability for you to input a list of usernames and passwords right on the router, and the router knows how to do the whole authentication all by itself. If you set up your wireless router to use 802.1X, it needs to have a way to authenticate your users via some EAP type. Are the devices on your network all GSM smartphones with SIM cards? Then you can use "EAP-SIM" to do GSM SIM-card style authentication to get on your network.Do you want to authenticate your users via certificates? Then "EAP-TLS" is a good EAP type to use.Do you want to authenticate your users with usernames and passwords? Then "PEAP" is a good EAP type to use.EAP stands for "Extensible Authentication Protocol", which means it's kind of a plug-in scheme for various authentication methods. Regardless of which authentication type you've set up your network to use, WPA2 always uses a scheme called AES-CCMP to encrypt your data over the air for the sake of confidentiality, and to thwart various other kinds of attacks.Ĩ02.1X is "EAP over LANs" or EAPoL. If you're using WPA2 security on your network, you have two authentication choices: You either have to use a single password for the whole network that everyone knows (this is called a Pre-Shared Key or PSK), or you use 802.1X to force each user to use his own unique login credentials (e.g. Authentication: Your choice of PSK ("Personal") or 802.1X ("Enterprise"). ![]() WPA2 is a security scheme that specifies two main aspects of your wireless security: username and password) authentication mechanism. Closest I can do to layman's terms, slightly oversimplified, and limited to just WPA2 for simplicity's sake:Ĩ02.1X is NOT an encryption type. ![]()
0 Comments
Leave a Reply. |