Alan Freedman -- The Computer Language Company - Computer Desktop Encyclopedia
Computer Desktop Encyclopedia
Longest-Running Tech Reference on the Planet

A CDE Definition

You'll love The Computer Desktop Encyclopedia (CDE) for Tech Term of the Day (TTOD)



An IEEE standard for network access control. Used predominantly in Wi-Fi wireless networks, 802.1X keeps the network port disconnected until authentication is completed. Depending on the results, the port is either made available to the user, or the user is denied access to the network.

Supplicant - Authenticator - Server
The client desiring access to a network is called the "supplicant." The device that provides the network port to the client is the "authenticator." In a wireless network, the authenticator is in the access point (AP). In a dial-up network, the authenticator is in the network access server (NAS). The device that contains usernames and passwords and authorizes the user is the "authentication server." In small networks, the authentication server can be located in the same unit as the authenticator.

802.1X uses the Extensible Authentication Protocol (EAP) for passing authentication messages. EAP comes from the dial-up environment, but "EAP Over LAN" (EAPOL) was created for packet networks such as Ethernet. 802.1X uses EAPOL to start and end the authentication session and pass EAP messages between the supplicant and authenticator and from the supplicant to the authentication server (via the authenticator). EAP messages from the authenticator to the authentication server typically use the RADIUS protocol. See EAP.

An 802.1X Network
The 802.1X protocol resides in the access point (the "authenticator"). The protocol keeps the port open until it receives authorization from an authentication server.


(Extensible Authentication Protocol) A protocol that acts as a framework and transport for other authentication protocols. EAP uses its own start and end messages but then carries any number of third-party messages between the client (supplicant) and access control node such as an access point in a wireless network. See PAP and CHAP.

EAP and LANs
EAP originated with the dial-up PPP protocol in order to support protocols beyond PAP and CHAP. For use on packet networks, EAP Over LAN (EAPOL) was created. EAPOL added new message types and allowed an Ethernet header to be prefixed onto EAP messages so they could be transmitted via Ethernet. Following are various EAP methods used mostly in wireless networks, but also in wired networks. See 802.1X, WPA and 802.11i.

EAP-TLS (EAP-Transport Layer Security)
Uses the handshake protocol in TLS, not its encryption method. Client and server authenticate each other using digital certificates. Client generates a pre-master secret key by encrypting a random number with the server's public key and sends it to the server. Both client and server use the pre-master to generate the same secret key.

Like EAP-TLS above except only the server has a certificate to authenticate itself to the client first. As in EAP-TLS, a secure connection (the "tunnel") is established with secret keys, but that connection is used to continue the authentication process by authenticating the client and possibly the server again using any EAP method or legacy method such as PAP and CHAP.

PEAP (Protected EAP)
Similar to EAP-TTLS above except it does not support legacy methods. It only moves EAP frames. Windows XP natively supports PEAP.

LEAP (Light EAP, Cisco LEAP)
From Cisco, first implementation of EAP and 802.1X for wireless networks. Uses preshared keys and MS-CHAP protocol to authenticate client and server to each other. Server generates and sends session key to access point. Client computes session key independently based on data received in the CHAP challenge.

(EAP-Flexible Authentication via Secure Tunneling)
Enhancement to LEAP from Cisco that provides an encrypted tunnel to distribute preshared keys known as "Protected Access Credential" (PAC) keys. PAC keys may be continuously refreshed to prevent dictionary attacks. EAP-FAST is defined in Cisco's Cisco Compatible Extensions (see CCX).

EAP-SIM (GSM Cellphones)
For GSM phones that switch between cellular and Wi-Fi networks, depending on which is in range. The Subscriber Identity Module (SIM) smart card in the GSM phone (see GSM) contains the secret key used for challenge/response authentication and deriving session keys for encryption.

Personal Use Only

Before/After Your Search Term

Terms By Topic
Click any of the following categories for a list of fundamental terms.
Computer Words You Gotta KnowSystem design
Job categoriesUnix/Linux
Interesting stuffPersonal computers
InternetIndustrial Automation/Process Control
Communications & networkingAssociations/Standards organizations
HistoryDesktop publishing
ProgrammingHealthcare IT
System design