Today we are talking about 802.1X, like authenticating a device coming into a conference room.
What is 802.1X ? In simple terms, it is an authentication mechanism that we leverage.
We're going to talk about 802.1X specifically on LAN. You can use 802.1X on the wireless network as well but today we are going to talk about wired ports or the local area network. It uses extensible authentication protocol which is EAP to authenticate a device.
For example in common areas like conference rooms, there are people coming into these areas where you don't really know who they are, maybe you don't want to give them network access. 802.1X authenticates that device to say, should I give them access to the network at all? Or should I give them guest access or maybe I only give them corporate access? 802.1X is that facility that looks and checks: what is this device, should it be on my network and does it get corporate access? So as soon as you plug into a wired port, EAP goes out and tries to authenticate that device whether through a certificate or a MAC address and asks itself: do I recognize this device?
For example if I plug in my laptop and I've got domain membership and I'm configured for 802.1X, it will give me corporate access on that wired port. If I unplug and plug in an another device that maybe isn't on-boarded into the corporate environment, but I have my authentication service configured so it gives me guest access. Meaning I get access to the Internet but no access to the corporate infrastructure.
Lastly if I wanted to, I could just say if you're not a part of our domain and you plug in to one of these ports, you will not get access. 802.1X can provide some authentication mechanism for physical access to your network. It really helps around security so ideally in those conference rooms or public use spaces, you can secure those ports leveraging 802.1X.
There's are couple of components with 802.1X, there's obviously the switch which does the authentication and initiates that EAP extended authentication protocol. Then there's the back-end authentication server, which is traditionally Radius. You need to configure both the switch, the radius server, and then the host. The host that's authenticating needs to be enabled for 802.1X, if it's not you can configure the switch to do something called Mac Authentication Bypass, where it looks at the MAC address of the device and asks, do I match a list, and if I do, I get corporate access or whatever kind of security policy you want to set. Additionally if you fail authentication, you have the option to give access to a guest network so they get internet access only or you can just say you get no access to our network at all, and we don't even provide you internet access.
So that's it, 802.1X is perfect for public use ports and public use spaces and it provides that layer of security so somebody can't just walk into your environment and get access to the corporate network.
As always if you have any questions on getting 802.1X set up for you and your business and would like to schedule a free consultation with us, please reach out to us at firstname.lastname@example.org and we’ll be happy to help!
Sean Barr, President