802.1X, referred to in full as IEEE 802.1X, is a standard under the IEEE 802 group of protocols maintained by the IEEE 802 LAN/MAN Standards Committee (LMSC).
Based on the Extensible Authentication Protocol (EAP; RFC 2284), the 802.1X standard was developed for port-based Network Access Control and for use in closed wireless access points, in order to provide authentication to devices attached to LAN ports.
If authentication is successful, a point-to-point connection will be established; if authentication fails, the system prevents access from the LAN port. 802.1X was ratified in 2001.
Previous systems like ISP and DSL used Point-to-Point Protocol (PPP). PPP would provide authentication by identifying the user at the other end of the line through the requirement of a username and password before providing access to a connection.
EAP, which 802.1X employs, is an extension under PPP which provides a generalized framework for several different methods of authentication, such as passwords, challenge-response tokens and public-key infrastructure certificates. A standardized EAP simplifies the interoperability and compatibility of authentication methods, and ensures better security.
802.1X exists as a standard for passing EAP over a wired local area network (LAN) or wireless one (WLAN), in a protocol known as EAP encapsulation over LANs (EAPOL). It bypasses PPP and packages EAP messages in Ethernet frames.
There are three elements in the process: the supplicant, which is the user or client seeking authentication in order to establish a connection; the authenticator, which is the device in between (like a wireless access point, for example); and the authentication server, a third-party entity which provides the authentication. In a typical 802.1X set-up, the server used for authentication is the Remote Authentication Dial in User Service (RADIUS) server.
In a typical mode of operation, an "EAP-Response/Identity" packet is sent to the supplicant by an authenticator once the authenticator detects that the link is active. The packet is then passed on to the RADIUS server, which sends back a challenge to the authenticator. The challenge is unpacked from IP by the authenticator, repackaged into EAPOL and sent to the supplicant.
Through the authenticator, the supplicant responds to the challenge and passes the response to the authentication server. The authenticator then responds with a success message sent back to the supplicant if the supplicant provides proper identity. The supplicant then obtains access to the LAN.
802.1X is supported by operating systems such as Mac OS X, Windows Vista, Windows XP and the latest service pack of Windows 2000.