Where Did 802.1x Come From?
802.1x has its roots in the Point-to-Point Protocol (PPP). As you may recall, PPP was originally designed for dial-up connections and later applied to some DSL/cable modems (as the PPP-over-Ethernet, or PPPoE protocol). PPP worked great, but was somewhat feature limited as it only supported username/password combinations as an authentication method.
Enter EAP
EAP was originally created as an extension to PPP. The idea was to establish a generalized framework for multiple authentication methods. In other words, PPP with authentication plug-in modules. This way, you could authenticate your users any way you liked. For example, you could use things like passwords, certificates, tokens, PKI, smart cards, Kerberos, biometrics, <insert your authentication standard here>, etc. Having an open standard meant that you could future proof your deployment because future methods that had not yet been invented could always be added as an EAP type.
802.1x Framework
802.1x is simply a protocol for talking EAP over wired or wireless networks. In order to understand 802.1x, you must first understand its three basic components: Supplicants, authenticators, and authentication servers (Figure 6.1).
Authenticator: The middle man (usually the AP) that blocks/allows traffic.
Authentication Server: The machine that manages authentication information, usually a RADIUS server.
Figure 6.1. 802.1x framework.
To visualize the 802.1x process, imagine you're trying to get into a swanky new downtown club or bar. The supplicant is the person trying to get inside. The authenticator is the bouncer letting people in or keeping them out. The authentication server is the VIP list of people who are allowed inside.
Keep in mind that for this protocol to work, 802.1x and your chosen EAP method must be consistently supported across all three components. (More on EAP methods later in the chapter.) This was more of a problem in the early days when 802.1x was supported only by high-end APs and some operating systems. Now, support across supplicants, authenticators, and authentication servers is more widespread. Further, all WPA compliant devices, by definition, support 802.1x.