IEEE 802.1X

A notable example of the issue occurred in 2005 when a machine attached to Walmart's network hacked thousands of their servers.

The term 'supplicant' is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator.

[10] EAPOL operates over the data link layer, and in Ethernet II framing protocol has an EtherType value of 0x888E.

This is particularly useful when an EAP method providing mutual authentication is used, as the supplicant can prevent data leakage when connected to an unauthorized network.

The typical authentication procedure consists of: An open-source project named Open1X produces a client, Xsupplicant.

The block period can be configured using the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dot3svc\BlockTime[15] DWORD value (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wlansvc\BlockTime for wireless networks) in the registry (entered in minutes).

Windows XP has major issues with its handling of IP address changes resulting from user-based 802.1X authentication that changes the VLAN and thus subnet of clients.

[20] Windows Vista-based computers that are connected via an IP phone may not authenticate as expected and, as a result, the client can be placed into the wrong VLAN.

[21] Windows 7 based computers that are connected via an IP phone may not authenticate as expected and, consequently, the client can be placed into the wrong VLAN.

[26][27] eduroam (the international roaming service), mandates the use of 802.1X authentication when providing network access to guests visiting from other eduroam-enabled institutions.

[28] BT (British Telecom, PLC) employs Identity Federation for authentication in services delivered to a wide variety of industries and governments.

Examples include network printers, Ethernet-based electronics like environmental sensors, cameras, and wireless phones.

[31] EAPOL-Logoff frames transmitted by the 802.1X supplicant are sent in the clear and contain no data derived from the credential exchange that initially authenticated the client.

[32] They are therefore trivially easy to spoof on shared media and can be used as part of a targeted DoS on both wired and wireless LANs.

The 802.1X-2010 specification, which began as 802.1af, addresses vulnerabilities in previous 802.1X specifications, by using MACsec IEEE 802.1AE to encrypt data between logical ports (running on top of a physical port) and IEEE 802.1AR (Secure Device Identity / DevID) authenticated devices.

[7][8][33][34] As a stopgap, until these enhancements are widely implemented, some vendors have extended the 802.1X-2001 and 802.1X-2004 protocol, allowing multiple concurrent authentication sessions to occur on a single port.

EAP data is first encapsulated in EAPOL frames between the Supplicant and Authenticator, then re-encapsulated between the Authenticator and the Authentication server using RADIUS or Diameter .
Sequence diagram of the 802.1X progression (initiated by the supplicant)