FAQ
Security has three main components, authentication to confirm both sides of a transaction are authorised to exchange data, encryption to protect the data in transit, and key management to allow both sides to read each other's messages. Of the three, encryption gets the most press because it's easy to comprehend -- it's also the easiest to get right. 802.1x doesn't define any encryption standards, instead it handles authentication and key management. It can be used with any cipher, and with many authentication methods. At the heart of 802.1x is the Extensible Authentication Protocol, EAP. This describes how two network nodes can pass messages to each other asking for authentication -- the standard was first coined for dial-up authentication over the Point to Point Protocol (PPP). 802.1x adds EAP over LAN (EAPOL). When a network access server -- typically a router or a wireless access point -- detects a new client, it sends an EAPOL message requesting its ID. The client returns the ID, which the access server then passes to an authentication server -- commonly a RADIUS server. This then has a conversation with the client, the access point relaying the messages, until either the client is accepted and authenticated or rejected altogether. Until this point, the only access the client has to the network is as a generator and consumer of EAPOL messages -- nothing else is allowed. Roaming between hotspots
Once the client is recognised and accepted, the authentication server can also provide authorisation for different levels of access, depending on the client's ID. This opens up the range of services that the client can access from the port provided by the access server, as well as potentially setting quality of service, rate caps and other user limits. Note that the RADIUS server can be far away from the access server, perhaps even on a different network, which opens up the possibility of roaming between different service providers of 802.11 hotspots.
