802.1X

Way back in the dawn of time when connecting to the internet meant you could not simultaneously talk on the phone, a group of Electrical and Electronics Engineers got together and created a group of standards for different types of networks like  LAN (Local Area Network), PAN (Personal Area Network), and MAN (Metropolitan Area Network).  Each number after 802 deals with a different aspect of these networks overall - you’ve almost certainly heard of 802.11, which is for Wireless LANs, and you’re probably familiar with 802.3 (Ethernet).  802.1x technically defines the Extensible Authentication Protocol over a LAN (EAPOL), but its friends call it the IEEE standard for port-based network access control.   
 
No doubt this left you with a burning desire to explore the rest of the 802 standards - check out this Wikipedia article that goes into more detail.

Yes.

What?

While it was initially developed as a layer 2 wired protocol because wireless LANs did not yet exist, it now encompasses both wired (connecting to a port on a switch) and Wi-Fi (connecting to an Access Point.) Fun fact - Wi-Fi is actually a trademarked term by the Wi-Fi Alliance, which is a non-profit organization dedicated to performing testing and certifying compatibility with IEEE Standards for 802.11 between products.  You will probably recognize some of the key sponsors of the Wi-Fi Alliance - Apple, Comcast, Sony, Samsung, Cisco, Motorola, and more.  Learn more at https://www.wi-fi.org.

• There are 3 parties involved in 802.1x authentication:
  The Supplicant - the entity requesting access, i.e. your laptop, server, IoT device, etc.
• The Authenticator - the device the supplicant wants to connect to (a switch or a wireless access point)
• The Authentication Server - a RADIUS server that grants or denies access. Note: Some access points come with built-in software that can act as an Authentication Server for 802.1x, but they are usually only capable of handling very small deployments.

The Supplicant talks to the Authenticator using an EAP method, then the Authenticator talks to the Authentication Server. The Supplicant and the Authentication Server never talk to each other.

• Initialization: The Authenticator detects a new device (the Supplicant) and attempts to establish a connection. The only traffic that will be accepted on the port at this point is 802.1x traffic - meaning everything is encrypted, and the Supplicant has no access to any network resources yet.
• Initiation: The Authenticator starts transmitting EAP-Requests to the Supplicant, which require info like credentials and MAC address. The supplicant sends back EAP responses with that information filled in. The Authenticator then sends this information to the Authentication Server, aka the RADIUS server.
• Negotiation: The Authentication server checks the info against an Identity Provider (think Azure or Google) and then if all is well, sends an Access_Accept packet to the Authenticator.
• Authentication: The authentication server will begin sending configuration profiles to the Authenticator which may contain additional information such as which VLAN to place them on and what resources they have access to (commonly called role-based access.) These are then passed on to the Supplicant, and boom! You’re connected.

The are many great things about this process from a security standpoint - one, the supplicant is providing information about itself before it’s actually connected to anything. Two, it never actually connects to the Authentication Server itself. Three, all of the data passed back and forth is encrypted. Four, the use of a RADIUS server has a whole host of advantages for network security - especially if its cloud-based.

802.1x is highly secure, but it’s not invulnerable. It’s still only as good as the security policies you create, and if you’re only using username/password credentials, well, that still puts you at some risk. If you’ve implemented 802.1x with a RADIUS server, a great strategy is to incorporate certificate-based authentication along with regular credentials. This lets you validate the device as well as the user and adds a critical extra layer of security. Another option is to add MAC-based filtering; although MAC addresses can be spoofed it would be very difficult for a hacker to identify just what is allowed on your network and what isn’t.