The 802.1X authentication mechanism is an upper layer authentication mechanism and comprises of a supplicant (802.11 Station), Authenticator (Access Point) and Authentication Server (e.g. RADIUS). Numerous methods of upper layer authentication are specified in various RFCs. Some examples are provided be below
- EAP-TLS
- EAP-TTLS
- EAP-GTC
- PEAP-MSCHAPv2
- LEAP etc
The 802.1X mechanism involves the following steps
- An EAP- Request Identity sent by the Authenticator (AP)
- An EAP-Request Identity Response is sent by the 802.11 Station
- The EAP-Request Identity Response contains an identifier of the supplicant on the 802.11 Station
- The Authenticator forwards the identity response from the 802.11 Station in a Radius Access-request packet to the Radius server.
- The RADIUS server provides a list of EAP methods to the authenticator as a RADIUS Access challenge
- The Authenticator (AP) forwards the Radius Access challenge to the 802.11 Station as an EAP packet
- If the 802.11 station accepts the EAP method sent by the Authentication server – further authentication will proceed
- If the 802.11 station does not accept the EAP methods sent by the Authentication server- it will send a NAK message with a list of EAP methods it supports
- Both Authentication server and the 802.11 Station need to accept a particular EAP method of Authentication prior to exchanging EAP handshake frames leading to the generation of the Pairwise Master Key
- At the end of the EAP handshake the AP and the 802.11 have the Pairwise Master Key- Material with them.
- The last packet in the EAP handshake is an EAP Success message
FIG: EAP authentication providing the Pair-wise Master Key for EAPOL handshake