Problem solve Get help with specific problems with your technologies, process and projects.

How do you authenticate in 802.1x?

Expert answer about the multiple authentication methods available.

Are you confused about authentication methods within 802.1x? If so, you're not alone. For example, one

reader sent in a question about the various authentication methods. He noted that there are references to many different authentication methods, but does that mean you can use any? One or more? And what difference does it make?

Here's the question, edited just a bit:

"When deploying 802.1x, can we use EAP-MD5, EAP-TLs, token cards, Kerberos, one-time passwords, or certificates as the authentication method? (Some others even call these "authentication types" and that makes it even more confusing).

"Or do EAP-MD5, EAP-TLs, etc. and token cards, Kerberos, etc. actually play different roles in 802.1x and EAP infrastructure? Please help me to clarify this issue and thanks in advance." mobile security expert Kevin Beaver replied on September 25.

"The 802.1x framework utilizes Extensible Authentication Protocol (EAP) as a way to authenticate and control traffic on protected wired and wireless networks. 802.1x is just a framework that various products support. When using this framework, you can use EAP for authentication of the traffic. Within EAP, you can choose one of the various authentication methods (tokens, PKI, etc.). Check out the following links for more information:

Ed. Note: The first of these references states the following, in part:

"After the link establishment phase is complete, the authenticator sends one or more requests to authenticate the peer. The request has a type field to indicate what is being requested. Examples of request types include identity, MD5-challenge, one-time passwords, generic token card, etc. The MD5-challenge type corresponds closely to the CHAP authentication protocol.

Typically, the authenticator will send an initial identity request followed by one or more requests for authentication information. However, an initial identity request is not required, and may be bypassed in cases where the identity is presumed (leased lines, dedicated dial-ups, etc.)."

This was last published in October 2003

Dig Deeper on Wireless network security

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.