Novell Doc: Novell ZENworks Network Access Control Users Guide

11.1 About 802.1X

802.1X is a port-based authentication protocol that can dynamically vary encryption keys, and has three components as follows:

Supplicant — The client; the endpoint that wants to access the network.
Authenticator — The access point, such as a switch, that prevents access when authentication fails. The authenticator can be simple and dumb.
Authentication server — The server that authenticates the user credentials; usually a Remote Authentication Dial-In User Service (RADIUS) server.

802.1X is an authentication framework that sends Extensible Authentication Protocol (EAP) messages packaged in Ethernet frames over LANs (EAPOL). This method provides a savings in overhead resources because it does not use all of the resources the typical Point-to-Point protocol requires.

EAP supports multiple authentication methods such as:

Kerberos — An authentication system that uses an encrypted ticket to authenticate users.
One-time passwords — An authentication system that uses a set of rotating passwords, each of which is used for only one login session.
Certificates — A method for identifying a user that links a public key to the user’s or company’s identity, allowing them to send digitally signed electronic messages.
Tokens — A credit-card or key-fob sized authentication endpoint that displays a number that is synchronized with the authentication server. The number changes over time, and the user is required to enter the current number as part of the authentication process.
Public key authentication — In an asymmetric encryption system, two keys are required; a public key and a private key. Either key can encrypt and decrypt messages, but cannot encrypt and decrypt the same message; that is, if the public key encrypts a message, the private key must decrypt the message.

The typical 802.1X connections are shown in Figure 11-1; The typical communication flow is as follows:

A Client (supplicant) requests access from the access point (AP) (authenticator).
The AP (authenticator) opens a port for EAP messages, and blocks all others.
The AP (authenticator) requests the client’s (supplicant’s) identity.
The Client (supplicant) sends its identity.
The AP (authenticator) passes the identity on to the authentication server.
The authentication server performs the authentication and returns an accept or reject message to the AP (authenticator).
The AP (authenticator) allows or blocks the client’s (supplicant’s) access to the network by controlling which ports are open or closed.

Figure 11-1 802.1X Components