15.7. Using 802.1X
Ordinarily, when you connect a computer to a network (via Ethernet, Wi-Fi, or some other means), that computer automatically has network access. The user may need to provide credentials to log in to specific servers or resources, but access to the local network itself (and, usually, to the Internet) is open. A networking protocol known as 802.1X aims to increase network security by requiring each device to authenticate (typically, with a username and password, although other means of authentication, such as smart cards and biometrics, are also supported) before any network access is granted — other than to the authentication mechanism itself.
A typical implementation of 802.1X involves a central authentication server — usually a RADIUS server — that maintains a database of each user's credentials. A device that wants to connect to the network is called a supplicant; it sends a request for authentication to a device called an authenticator, which functions as a network switch. As long as the switch is off, supplicants can communicate only with the authenticator. But once the authenticator has validated the user's credentials against the information on the authentication server, it flips the switch, and the supplicant's traffic travels freely through the authenticator to the rest of the network.
802.1X is used more frequently for wireless networks than for wired networks because its ...
Get Mac® Security Bible now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.