Foiling attempts to plug an unauthorized device directly into a local area network (LAN) has been the purview of the IEEE's 802.1x standard since it was introduced in 2001. Without the protection of 802.1x, hackers and other security risks might be able to wreck havoc not only on the LAN itself but also on wider Internet Protocol (IP) networks.

Of course, this becomes increasingly critical as more and more devices such as IP phones connect to LANs and access the Internet through applications like Voice over IP (VoIP).

Plug-In Authentication
The main tenet behind 802.1x is that any device that is plugged into a network must be authenticated before any regular data traffic occurs. As soon as the network cable from a device like a laptop computer or an IP phone is physically plugged into a network or as soon as a device attempts to gain access to a wireless Wi-Fi network, 802.1x must determine the identity of the device and whether it is authorized to access that network.

802.1x is limited to authenticating physical connections at the Data Link level (Level 2 of the OSI model). Built on the Extensible Authentication Protocol (EAP), 802.1x offers no security for any of the data communications once it has authorized the connection.

Three entities come into play in every 802.1x authentication process. The standard calls any device that plugs into a network a supplicant because it must first seek and be granted authorization to access the network.

The entity that is responsible for the 802.1x authentication process is called the authenticator. In many cases this is an Ethernet switch on the LAN. The process is carried forward by an authenticating server which determines whether the supplicant's traffic over the network can be authorized.

How it Works
Typically, traffic of any unoccupied access point to a network, such as a port on a wired or wireless Ethernet switch, is blocked until the 802.1x authentication process has completed. The blocked traffic includes all configurations mechanisms like Dynamic Host Configuration Protocol (DHCP) as well as any other traffic like HTTP data. When a device plugs into a network and it is detected, the port on the switch is set as "unauthorized" and only 802.1x traffic is allowed.

As a first step in the 802.1x process, the authenticator requests the identity of the supplicant. When the supplicant responds with a packet containing its identity, the authenticator forwards this information to the authenticating server, where the request for authentication and authorization for access to the network is either accepted or rejected. The authenticating server applies its authentication rules to make this determination.

When a request for authentication is accepted by the authenticating server, the authenticator sets the access port to 'authorized' and normal network traffic can begin. Should the supplicant log off or simply unplug its network cable from the network, the authenticator is notified and the status of the port is returned to an unauthorized state where only 802.1x traffic is allowed until another 802.1x authorization process has been completed. (Figure 1 below)

Figure 1. 802.1x sets up connected devices for authentication

The messages that comprise the authorization process conform to EAP, which was developed by the Internet Engineering Task Force (IETF) in 1998 as RFC2284 and updated in 2004 as RFC3748. The messages between the supplicant device and the authenticator are carried in a certain EAP packet format known as EAP over LAN (EAPoL).

The messages between the authenticator and the authenticating server are formulated into a format that is understood by the authenticating server. For example, these messages are often encapsulated into EAP over Radius (EAPoR) packets if the authenticating server happens to be a Radius server, a popular type of 802.1x authenticating server.

Generally, the supplicant software for initiating 802.1x authentication is embedded in the operating system (OS) on practically all PCs. For example, 802.1x supplicant software is contained in the most popular OSs, including Windows XP, Windows Vista, Windows 2000 (Service Pack 3), and Linux.

If this software is not included in the version of Linux present on the device, it can be added (wpa_supplicant). Other types of Ethernet devices also include 802.1x supplicant software and practically all Ethernet switches have authenticator software.