Problem solve Get help with specific problems with your technologies, process and projects.

802.1x - not just for wireless?

A look at how you can use 802.1x protocol to authenticate on a LAN.

If you've had the opportunity to implement any 802.11 wireless equipment in your network, you've probably encountered the 802.1x protocol, which is primarily used to authenticate users to "the network" as opposed to a server or a Windows domain. This is an important feature for many wireless networks because it keeps hackers from accessing the network from your parking-lot or other areas where they can get your RF-signal but aren't subject to physical security, like badge readers.

But what you may not realize is that 802.1x authentication isn't just for wireless users. Many Ethernet switch vendors support 802.1x in their switches as well. This is particularly good news for companies that have offices in shared space or multi-tenant facilities. If your offices are such that it's easy for someone to walk in unannounced and sit down at an unoccupied cubicle, or if you have a lot of guests who might be inclined to surf your intranet while you're not looking, you should strongly consider taking advantage of 802.1x.

It works at a high level by preventing all the ports on your switch from forwarding traffic. Once a device, such as a laptop, is plugged into a port on the switch, the switch sees the line come up and sends a challenge to the laptop. Special 802.1x client software on the laptop's OS receives this challenge and displays a window on the screen for the user to input their username and password (alternately, digital certificates or other multi-factor authentication mechanisms can be used). It then sends the response back to the switch, which in turn sends it to an authentication server, like RADIUS. If RADIUS says your username and password are ok, then the switch will enable the port and make the port a member of whatever VLAN you specify.

For most switch vendors, this feature is included in the basic software and no special upgrades are required. On the client-side, Windows XP and most recent Linux distributions have the 802.1x client software installed. For Windows 2000, 802.1x support comes with Service Pack 4, or if you have some aversion to SP4, you can get it with SP3 plus a special patch, which is available on Microsoft's Web site. In Windows, the 802.1x software is implemented in a service called "Wireless Configuration". So if you see this in your "Services" dialog, you're good to go.

Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.

This was last published in February 2004

Dig Deeper on Campus area network

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.