290:
597:. In summary, the flaw stems from the fact that 802.1X authenticates only at the beginning of the connection, but after that authentication, it's possible for an attacker to use the authenticated port if they have the ability to physically insert themselves (perhaps using a workgroup hub) between the authenticated computer and the port. Riley suggests that for wired networks the use of
159:. The authenticator forwards these credentials to the authentication server to decide whether access is to be granted. If the authentication server determines the credentials are valid, it informs the authenticator, which in turn allows the supplicant (client device) to access resources located on the protected side of the network.
624:
As a stopgap, until these enhancements are widely implemented, some vendors have extended the 802.1X-2001 and 802.1X-2004 protocol, allowing multiple concurrent authentication sessions to occur on a single port. While this prevents traffic from devices with unauthenticated MAC addresses ingressing on
274:
Access-Reject packet). If authentication is successful, the authenticator sets the port to the "authorized" state and normal traffic is allowed, if it is unsuccessful the port remains in the "unauthorized" state. When the supplicant logs off, it sends an EAPOL-logoff message to the authenticator, the
237:
To initiate authentication the authenticator will periodically transmit EAP-Request
Identity frames to a special Layer 2 address (01:80:C2:00:00:03) on the local network segment. The supplicant listens at this address, and on receipt of the EAP-Request Identity frame, it responds with an EAP-Response
154:
The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant's identity has been validated and authorized. With 802.1X port-based authentication, the
49:
The standard directly addresses an attack technique called
Hardware Addition where an attacker posing as a guest, customer or staff smuggles a hacking device into the building that they then plug into the network giving them full access. A notable example of the issue occurred in 2005 when a machine
187:
802.1X-2001 defines two logical port entities for an authenticated port—the "controlled port" and the "uncontrolled port". The controlled port is manipulated by the 802.1X PAE (Port Access Entity) to allow (in the authorized state) or prevent (in the unauthorized state) network traffic ingress and
609:
on both wired and wireless LANs. In an EAPOL-Logoff attack a malicious third party, with access to the medium the authenticator is attached to, repeatedly sends forged EAPOL-Logoff frames from the target device's MAC Address. The authenticator (believing that the targeted device wishes to end its
142:
is typically a trusted server that can receive and respond to requests for network access, and can tell the authenticator if the connection is to be allowed, and various settings that should apply to that client's connection or setting. Authentication servers typically run software supporting the
567:
One option would be to disable 802.1X on that port, but that leaves that port unprotected and open for abuse. Another slightly more reliable option is to use the MAB option. When MAB is configured on a port, that port will first try to check if the connected device is 802.1X compliant, and if no
563:
Not all devices support 802.1X authentication. Examples include network printers, Ethernet-based electronics like environmental sensors, cameras, and wireless phones. For those devices to be used in a protected network environment, alternative mechanisms must be provided to authenticate them.
258:
Access-Challenge packet) to the authenticator, containing an EAP Request specifying the EAP Method (The type of EAP based authentication it wishes the supplicant to perform). The authenticator encapsulates the EAP Request in an EAPOL frame and transmits it to the supplicant. At this point, the
492:
does not have native support for 802.1X. However, support can be added to WinPE 2.1 and WinPE 3.0 through hotfixes that are available from
Microsoft. Although full documentation is not yet available, preliminary documentation for the use of these hotfixes is available via a Microsoft blog.
191:
802.1X-2004 defines the equivalent port entities for the supplicant; so a supplicant implementing 802.1X-2004 may prevent higher-level protocols from being used if it is not content that authentication has successfully completed. This is particularly useful when an EAP method providing
1038:
265:
If the authentication server and supplicant agree on an EAP Method, EAP Requests and
Responses are sent between the supplicant and the authentication server (translated by the authenticator) until the authentication server responds with either an EAP-Success message (encapsulated in a
604:
EAPOL-Logoff frames transmitted by the 802.1X supplicant are sent in the clear and contain no data derived from the credential exchange that initially authenticated the client. They are therefore trivially easy to spoof on shared media and can be used as part of a targeted
208:
358:. This client is currently available for both Linux and Windows. The main drawbacks of the Open1X client are that it does not provide comprehensible and extensive user documentation and that most Linux vendors do not provide a package for it. The more general
1182:
443:
server certificates are not supported by EAPHost, the
Windows component that provides EAP support in the operating system. The implication of this is that when using a commercial certification authority, individual certificates must be purchased.
242:
Access-Request packet and forwards it on to the authentication server. The supplicant may also initiate or restart authentication by sending an EAPOL-Start frame to the authenticator, which will then reply with an EAP-Request
Identity
432:
The block period can be configured using the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dot3svc\BlockTime DWORD value (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wlansvc\BlockTime for wireless networks) in the registry (entered in minutes). A
452:
Windows XP has major issues with its handling of IP address changes resulting from user-based 802.1X authentication that changes the VLAN and thus subnet of clients. Microsoft has stated that it will not backport the
123:
device (such as a laptop) that wishes to attach to the LAN/WLAN. The term 'supplicant' is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The
1265:
1137:
With Vista, this is not a problem at all with the SSO feature, however, this feature does not exist in XP and unfortunately, we do not have any plans to backport this feature to XP as it is just too complex a
155:
supplicant must initially provide the required credentials to the authenticator - these will have been specified in advance by the network administrator and could include a user name/password or a permitted
592:
In the summer of 2005, Microsoft's Steve Riley posted an article (based on the original research of
Microsoft MVP Svyatoslav Pidgorny) detailing a serious vulnerability in the 802.1X protocol, involving a
468:
Windows Vista-based computers that are connected via an IP phone may not authenticate as expected and, as a result, the client can be placed into the wrong VLAN. A hotfix is available to correct this.
477:
Windows 7 based computers that are connected via an IP phone may not authenticate as expected and, consequently, the client can be placed into the wrong VLAN. A hotfix is available to correct this.
480:
Windows 7 does not respond to 802.1X authentication requests after initial 802.1X authentication fails. This can cause significant disruption to clients. A hotfix is available to correct this.
219:
On detection of a new supplicant, the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as the
102:
1183:"A computer that is connected to an IEEE 802.1X authenticated network through a VOIP phone does not connect to the correct network after you resume it from Hibernate mode or Sleep mode"
1117:
105:
EAP data is first encapsulated in EAPOL frames between the
Supplicant and Authenticator, then re-encapsulated between the Authenticator and the Authentication server using RADIUS or
1290:
1039:"A Windows XP-based, Windows Vista-based or Windows Server 2008-based computer does not respond to 802.1X authentication requests for 20 minutes after a failed authentication"
1906:
89:(Secure Device Identity, DevID) in 802.1X-2010 to support service identification and optional point to point encryption over the internal LAN segment. 802.1X is part of the
544:(the international roaming service), mandates the use of 802.1X authentication when providing network access to guests visiting from other eduroam-enabled institutions.
576:
server to authenticate those MAC addresses, either by adding them as regular users or implementing additional logic to resolve them in a network inventory database.
429:
Windows defaults to not responding to 802.1X authentication requests for 20 minutes after a failed authentication. This can cause significant disruption to clients.
300:
642:
1601:
1089:"You experience problems when you try to obtain Group Policy objects, roaming profiles, and logon scripts from a Windows Server 2003-based domain controller"
1426:
259:
supplicant can start using the requested EAP Method, or do a NAK ("Negative
Acknowledgement") and respond with the EAP Methods it is willing to perform.
1020:
625:
an 802.1X authenticated port, it will not stop a malicious device snooping on traffic from an authenticated device and provides no protection against
130:
is a network device that provides a data link between the client and the network and can allow or block network traffic between the two, such as an
2831:
2826:
2821:
2816:
2811:
2806:
2801:
610:
authentication session) closes the target's authentication session, blocking traffic ingressing from the target, denying it access to the network.
618:
1151:"A Windows XP Service Pack 3-based client computer cannot use the IEEE 802.1X authentication when you use PEAP with PEAP-MSCHAPv2 in a domain"
238:
Identity frame containing an identifier for the supplicant such as a User ID. The authenticator then encapsulates this
Identity response in a
2070:
1125:
895:
550:(British Telecom, PLC) employs Identity Federation for authentication in services delivered to a wide variety of industries and governments.
1208:"No response to 802.1X authentication requests after authentication fails on a computer that is running Windows 7 or Windows Server 2008 R2"
460:
If users are not logging in with roaming profiles, a hotfix must be downloaded and installed if authenticating via PEAP with PEAP-MSCHAPv2.
2113:
1596:
1591:
1586:
315:
2986:
2881:
1002:
2747:
2488:
2483:
2473:
2468:
2463:
2458:
2453:
2448:
2438:
2433:
2428:
2423:
2413:
2408:
2403:
2398:
2383:
2378:
2373:
2368:
2363:
1395:
1298:
613:
The 802.1X-2010 specification, which began as 802.1af, addresses vulnerabilities in previous 802.1X specifications, by using MACsec
1646:
351:
1319:
1492:
1557:
1521:
1063:
568:
reaction is received from the connected device, it will try to authenticate with the AAA server using the connected device's
188:
egress to/from the controlled port. The uncontrolled port is used by the 802.1X PAE to transmit and receive EAPOL frames.
65:
networks and over 802.11 wireless networks, which is known as "EAP over LAN" or EAPOL. EAPOL was originally specified for
2917:
2907:
645:(PANA), which also carries EAP, although it works at layer 3, using UDP, thus not being tied to the 802 infrastructure.
2991:
1756:
1459:
1344:
980:
883:
802.1X forms part of the LLC sublayer and provides a secure, connectionless service immediately above the MAC sublayer.
530:
148:
58:
2182:
1701:
533:
with TLS 1.3 (EAP-TLS 1.3). Additionally, devices running iOS/iPadOS/tvOS 17 or later support wired 802.1X networks.
337:
1236:
1207:
1150:
1088:
941:
74:
77:(ANSI X3T9.5/X3T12 and ISO 9314) in 802.1X-2001, but was extended to suit other IEEE 802 LAN technologies such as
1881:
638:
319:
1609:
113:
802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The
2163:
2981:
2138:
1433:
224:
2118:
1639:
151:
protocols. In some cases, the authentication server software may be running on the authenticator hardware.
2547:
2108:
1811:
1726:
1706:
2950:
1679:
1655:
382:
275:
authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.
2517:
1716:
1266:"The IEEE 802.1X authentication protocol is not supported in Windows Preinstall Environment (PE) 3.0"
418:
1951:
594:
488:
For most enterprises deploying and rolling out operating systems remotely, it is worth noting that
899:
2955:
1816:
1806:
1786:
1632:
920:
2128:
1689:
228:
196:
is used, as the supplicant can prevent data leakage when connected to an unauthorized network.
156:
27:
1547:
2922:
2045:
1781:
966:
774:
193:
135:
115:
1618:
737:
2188:
1936:
1866:
794:
757:
440:
90:
1402:
8:
654:
172:
106:
1946:
502:
120:
39:
437:
is required for Windows XP SP3 and Windows Vista SP2 to make the period configurable.
2976:
2619:
2614:
2594:
2578:
2572:
2567:
2562:
2557:
2552:
2542:
2537:
2527:
2522:
2158:
2028:
1988:
1553:
976:
972:
713:
659:
572:
as username and password. The network administrator then must make provisions on the
307:
220:
1500:
366:
wireless networks and wired networks. Both support a very wide range of EAP types.
2512:
2178:
870:
784:
747:
1525:
1941:
1613:
1602:
Ultimate wireless security guide: Self-signed certificates for your RADIUS server
874:
863:
IEEE Standard for Local and Metropolitan Area Networks: Overview and Architecture
168:
797:
778:
760:
741:
2796:
1926:
1921:
1841:
1791:
1581:
510:
506:
454:
402:
396:
359:
311:
131:
86:
35:
705:
617:
to encrypt data between logical ports (running on top of a physical port) and
2970:
2902:
2846:
2841:
2836:
2786:
2781:
2776:
2766:
2742:
2718:
2706:
2695:
2684:
2672:
2667:
2662:
2657:
2644:
2633:
2123:
2103:
1956:
1931:
1861:
1751:
1696:
717:
679:
126:
23:
2886:
2876:
2624:
2609:
2604:
2599:
2589:
2532:
2173:
2168:
2153:
2148:
2143:
2093:
1545:
626:
614:
526:
82:
43:
2758:
2498:
2252:
2098:
2088:
2065:
2060:
2055:
2050:
2033:
2018:
1576:
1244:
1237:"Windows PE 2.1 does not support the IEEE 802.1X authentication protocol"
1215:
1158:
1096:
569:
378:
355:
101:
78:
2871:
2866:
2198:
2080:
2013:
2008:
2003:
1998:
1993:
1983:
489:
374:
70:
66:
31:
2932:
2912:
2770:
2023:
1916:
1911:
1896:
1886:
1876:
1856:
1851:
1836:
1826:
1821:
1801:
1796:
1776:
1771:
1766:
1761:
1746:
1711:
1606:
1118:"802.1x with dynamic vlan switching - Problems with Roaming Profiles"
789:
752:
176:
270:
Access-Accept packet), or an EAP-Failure message (encapsulated in a
2203:
1975:
1966:
1684:
1674:
1669:
878:
547:
386:
62:
81:
wireless in 802.1X-2004. The EAPOL was also modified for use with
2927:
2723:
2689:
2638:
2583:
2478:
2443:
2418:
2393:
2388:
2358:
2353:
2348:
2342:
2336:
2331:
2326:
2321:
2315:
2309:
2304:
2299:
2294:
2288:
2282:
2277:
2272:
2267:
2212:
1846:
1831:
1624:
1374:
582:
541:
406:
51:
2790:
2262:
2257:
2247:
2242:
2237:
2232:
2227:
2222:
2217:
1891:
1721:
573:
522:
434:
370:
363:
271:
267:
255:
239:
144:
706:"Big-Box Breach: The Inside Story of Wal-Mart's Hacker Attack"
2648:
2503:
2038:
1901:
1741:
1021:"20 minute delay deploying Windows 7 on 802.1x? Fix it here!"
598:
414:
410:
392:
529:, Apple devices support connecting to 802.1X networks using
1871:
1736:
1731:
1496:
1460:"Mitigating the Threats of Rogue Machines—802.1X or IPsec?"
1369:
866:
601:
or a combination of IPsec and 802.1X would be more secure.
254:
The authentication server sends a reply (encapsulated in a
1064:"EAPHost in Windows Vista and Longhorn (January 18, 2006)"
606:
207:
1546:
Philip Golden; Hervé Dedieu; Krista S. Jacobsen (2007).
1177:
1175:
968:
Mac OS X Unwired: A Guide for Home, Office, and the Road
621:(Secure Device Identity / DevID) authenticated devices.
579:
Many managed Ethernet switches offer options for this.
1432:. p. 622, Revision: A06-March 2011. Archived from
643:
Protocol for Carrying Authentication for Network Access
385:
has support for 802.1X since the release of 1.6 Donut.
421:
framework. Avenda also offers health checking agents.
1172:
199:
318:, and by adding encyclopedic content written from a
1522:"IEEE 802.1: 802.1X-2010 - Revision of 802.1X-2004"
1003:"NAP clients for Linux and Macintosh are available"
836:
834:
16:
IEEE standard for port-based Network Access Control
848:
846:
558:
204:The typical authentication procedure consists of:
1549:Implementation and Applications of DSL Technology
2968:
1539:
831:
1493:"2 February 2010 Early Consideration Approvals"
843:
457:feature from Vista that resolves these issues.
54:'s network hacked thousands of their servers.
34:group of networking protocols. It provides an
583:Vulnerabilities in 802.1X-2001 and 802.1X-2004
1640:
417:. They also have a plugin for the Microsoft
57:IEEE 802.1X defines the encapsulation of the
964:
38:mechanism to devices wishing to attach to a
1619:Wired Networking with 802.1X Authentication
896:"802.1X Port-Based Authentication Concepts"
93:(LLC) sublayer of the 802 reference model.
1647:
1633:
1552:. Taylor & Francis. pp. 483–484.
211:Sequence diagram of the 802.1X progression
1524:. Ieee802.org. 2010-01-21. Archived from
1427:"Dell PowerConnect 6200 series CLI Guide"
1345:"macOS 14 beta 4 developer release notes"
1007:Network Access Protection (NAP) team blog
788:
751:
553:
338:Learn how and when to remove this message
942:"The computer that keeps getting better"
780:Extensible Authentication Protocol (EAP)
743:Extensible Authentication Protocol (EAP)
206:
100:
1320:"iOS 17 beta 4 developer release notes"
2969:
299:contains content that is written like
1628:
1457:
939:
921:"eap_testing.txt from wpa_supplicant"
680:"Hardware Additions, Technique T1200"
389:has supported 802.1X since mid-2011.
162:
1291:"Adding Support for 802.1X to WinPE"
377:support 802.1X since the release of
283:
1396:"BT Identity and Access Management"
13:
1654:
965:Negrino, Tom; Smith, Dori (2003).
703:
279:
200:Typical authentication progression
59:Extensible Authentication Protocol
14:
3003:
2987:Computer access control protocols
1570:
395:has offered native support since
940:Sheth, Rajen (August 10, 2011).
516:
463:
288:
182:
1597:GetIEEE802 Download 802.1X-2001
1592:GetIEEE802 Download 802.1X-2004
1587:GetIEEE802 Download 802.1X-2010
1582:GetIEEE802 Download 802.1X-2020
1514:
1485:
1476:
1451:
1419:
1388:
1362:
1337:
1312:
1283:
1258:
1229:
1200:
1143:
1110:
1081:
1056:
1031:
1013:
995:
958:
933:
913:
888:
855:
819:IEEE 802.1X-2001, § 7.1 and 7.2
632:
587:
559:MAB (MAC Authentication Bypass)
822:
813:
804:
767:
730:
697:
672:
536:
1:
665:
509:and desktop integration like
483:
447:
350:An open-source project named
252:(Technically EAP negotiation)
1297:. 2010-03-02. Archived from
1243:. 2009-12-08. Archived from
1214:. 2010-03-08. Archived from
1157:. 2009-04-23. Archived from
1095:. 2007-09-14. Archived from
875:10.1109/IEEESTD.2014.6847097
472:
7:
1458:Riley, Steve (2005-08-09).
738:"EAP Usage Within IEEE 802"
648:
641:-backed alternative is the
629:, or EAPOL-Logoff attacks.
96:
10:
3008:
2951:IEEE Standards Association
946:Google Cloud Official Blog
424:
405:provides a supplicant for
30:(PNAC). It is part of the
2992:Computer network security
2941:
2895:
2859:
2757:
2497:
2197:
2079:
1974:
1965:
1662:
1025:Dude where's my PFE? blog
840:IEEE 802.1X-2010, page iv
828:IEEE 802.1X-2004, § 7.6.4
1370:"How does eduroam work?"
1295:The Deployment Guys blog
1122:Microsoft TechNet Forums
595:man in the middle attack
496:
167:EAPOL operates over the
2956:Category:IEEE standards
1482:IEEE 802.1X-2001, § 7.1
554:Proprietary extensions
212:
110:
28:network access control
852:IEEE 802.1X-2010, § 5
810:IEEE 802.1X-2001, § 7
320:neutral point of view
210:
194:mutual authentication
140:authentication server
136:wireless access point
104:
2982:Networking standards
1621:on Microsoft TechNet
91:logical link control
1577:IEEE page on 802.1X
655:AEGIS SecureConnect
505:support 802.1X via
503:Linux distributions
354:produces a client,
312:promotional content
173:Ethernet II framing
157:digital certificate
1612:2015-08-22 at the
783:. sec. 7.12.
314:and inappropriate
213:
163:Protocol operation
111:
2964:
2963:
2855:
2854:
1559:978-1-4200-1307-8
1270:Microsoft Support
1241:Microsoft Support
1212:Microsoft Support
1187:Microsoft Support
1155:Microsoft support
1093:Microsoft Support
1043:Microsoft Support
746:. sec. 3.3.
660:IEEE 802.11i-2004
348:
347:
340:
221:Internet Protocol
179:value of 0x888E.
61:(EAP) over wired
2999:
1972:
1971:
1649:
1642:
1635:
1626:
1625:
1564:
1563:
1543:
1537:
1536:
1534:
1533:
1518:
1512:
1511:
1509:
1508:
1499:. Archived from
1489:
1483:
1480:
1474:
1473:
1471:
1470:
1455:
1449:
1448:
1446:
1444:
1438:
1431:
1423:
1417:
1416:
1414:
1413:
1407:
1401:. Archived from
1400:
1392:
1386:
1385:
1383:
1382:
1366:
1360:
1359:
1357:
1356:
1341:
1335:
1334:
1332:
1331:
1316:
1310:
1309:
1307:
1306:
1287:
1281:
1280:
1278:
1277:
1262:
1256:
1255:
1253:
1252:
1233:
1227:
1226:
1224:
1223:
1204:
1198:
1197:
1195:
1194:
1179:
1170:
1169:
1167:
1166:
1147:
1141:
1140:
1134:
1133:
1124:. Archived from
1114:
1108:
1107:
1105:
1104:
1085:
1079:
1078:
1076:
1075:
1060:
1054:
1053:
1051:
1050:
1035:
1029:
1028:
1017:
1011:
1010:
999:
993:
992:
990:
989:
962:
956:
955:
953:
952:
937:
931:
930:
928:
927:
917:
911:
910:
908:
907:
898:. Archived from
892:
886:
885:
859:
853:
850:
841:
838:
829:
826:
820:
817:
811:
808:
802:
801:
792:
790:10.17487/RFC3748
771:
765:
764:
755:
753:10.17487/RFC3748
734:
728:
727:
725:
724:
701:
695:
694:
692:
691:
684:attack.mitre.org
676:
362:can be used for
343:
336:
332:
329:
323:
301:an advertisement
292:
291:
284:
175:protocol has an
73:Token Ring, and
3007:
3006:
3002:
3001:
3000:
2998:
2997:
2996:
2967:
2966:
2965:
2960:
2937:
2891:
2851:
2753:
2501:
2493:
2201:
2193:
2075:
1961:
1658:
1653:
1614:Wayback Machine
1573:
1568:
1567:
1560:
1544:
1540:
1531:
1529:
1520:
1519:
1515:
1506:
1504:
1491:
1490:
1486:
1481:
1477:
1468:
1466:
1456:
1452:
1442:
1440:
1436:
1429:
1425:
1424:
1420:
1411:
1409:
1405:
1398:
1394:
1393:
1389:
1380:
1378:
1368:
1367:
1363:
1354:
1352:
1349:Apple Developer
1343:
1342:
1338:
1329:
1327:
1324:Apple Developer
1318:
1317:
1313:
1304:
1302:
1289:
1288:
1284:
1275:
1273:
1264:
1263:
1259:
1250:
1248:
1235:
1234:
1230:
1221:
1219:
1206:
1205:
1201:
1192:
1190:
1181:
1180:
1173:
1164:
1162:
1149:
1148:
1144:
1131:
1129:
1116:
1115:
1111:
1102:
1100:
1087:
1086:
1082:
1073:
1071:
1062:
1061:
1057:
1048:
1046:
1037:
1036:
1032:
1019:
1018:
1014:
1001:
1000:
996:
987:
985:
983:
963:
959:
950:
948:
938:
934:
925:
923:
919:
918:
914:
905:
903:
894:
893:
889:
861:
860:
856:
851:
844:
839:
832:
827:
823:
818:
814:
809:
805:
773:
772:
768:
736:
735:
731:
722:
720:
702:
698:
689:
687:
678:
677:
673:
668:
651:
635:
590:
585:
561:
556:
539:
519:
499:
486:
475:
466:
450:
427:
344:
333:
327:
324:
305:
293:
289:
282:
280:Implementations
223:(and with that
202:
185:
169:data link layer
165:
132:Ethernet switch
99:
85:("MACsec") and
26:for port-based
17:
12:
11:
5:
3005:
2995:
2994:
2989:
2984:
2979:
2962:
2961:
2959:
2958:
2953:
2948:
2942:
2939:
2938:
2936:
2935:
2930:
2925:
2920:
2915:
2910:
2905:
2899:
2897:
2893:
2892:
2890:
2889:
2884:
2879:
2874:
2869:
2863:
2861:
2857:
2856:
2853:
2852:
2850:
2849:
2844:
2839:
2834:
2829:
2824:
2819:
2814:
2809:
2804:
2799:
2794:
2784:
2779:
2774:
2763:
2761:
2755:
2754:
2752:
2751:
2739:
2736:
2733:
2730:
2727:
2715:
2712:
2709:
2704:
2701:
2698:
2693:
2681:
2678:
2675:
2670:
2665:
2660:
2655:
2652:
2642:
2630:
2627:
2622:
2617:
2612:
2607:
2602:
2597:
2592:
2587:
2575:
2570:
2565:
2560:
2555:
2550:
2545:
2540:
2535:
2530:
2525:
2520:
2515:
2509:
2507:
2495:
2494:
2492:
2491:
2486:
2481:
2476:
2471:
2466:
2461:
2456:
2451:
2446:
2441:
2436:
2431:
2426:
2421:
2416:
2411:
2406:
2401:
2396:
2391:
2386:
2381:
2376:
2371:
2366:
2361:
2356:
2351:
2346:
2339:
2334:
2329:
2324:
2319:
2312:
2307:
2302:
2297:
2292:
2285:
2280:
2275:
2270:
2265:
2260:
2255:
2250:
2245:
2240:
2235:
2230:
2225:
2220:
2215:
2209:
2207:
2195:
2194:
2192:
2191:
2186:
2176:
2171:
2166:
2161:
2156:
2151:
2146:
2141:
2136:
2131:
2126:
2121:
2116:
2111:
2106:
2101:
2096:
2091:
2085:
2083:
2077:
2076:
2074:
2073:
2068:
2063:
2058:
2053:
2048:
2043:
2042:
2041:
2031:
2026:
2021:
2016:
2011:
2006:
2001:
1996:
1991:
1986:
1980:
1978:
1969:
1963:
1962:
1960:
1959:
1954:
1949:
1944:
1939:
1934:
1929:
1924:
1919:
1914:
1909:
1904:
1899:
1894:
1889:
1884:
1879:
1874:
1869:
1864:
1859:
1854:
1849:
1844:
1839:
1834:
1829:
1824:
1819:
1814:
1809:
1804:
1799:
1794:
1789:
1784:
1779:
1774:
1769:
1764:
1759:
1754:
1749:
1744:
1739:
1734:
1729:
1724:
1719:
1714:
1709:
1704:
1699:
1694:
1693:
1692:
1682:
1677:
1672:
1666:
1664:
1660:
1659:
1656:IEEE standards
1652:
1651:
1644:
1637:
1629:
1623:
1622:
1616:
1604:
1599:
1594:
1589:
1584:
1579:
1572:
1571:External links
1569:
1566:
1565:
1558:
1538:
1513:
1484:
1475:
1464:Microsoft Docs
1450:
1418:
1387:
1361:
1336:
1311:
1282:
1257:
1228:
1199:
1171:
1142:
1109:
1080:
1068:Microsoft Docs
1055:
1030:
1012:
994:
982:978-0596005085
981:
975:. p. 19.
973:O'Reilly Media
957:
932:
912:
887:
854:
842:
830:
821:
812:
803:
766:
729:
696:
670:
669:
667:
664:
663:
662:
657:
650:
647:
634:
631:
589:
586:
584:
581:
560:
557:
555:
552:
538:
535:
518:
515:
511:NetworkManager
507:wpa_supplicant
498:
495:
485:
482:
474:
471:
465:
462:
449:
446:
426:
423:
403:Avenda Systems
360:wpa_supplicant
346:
345:
316:external links
296:
294:
287:
281:
278:
277:
276:
263:Authentication
260:
246:
232:
231:), is dropped.
217:Initialization
201:
198:
184:
181:
164:
161:
98:
95:
36:authentication
15:
9:
6:
4:
3:
2:
3004:
2993:
2990:
2988:
2985:
2983:
2980:
2978:
2975:
2974:
2972:
2957:
2954:
2952:
2949:
2947:
2944:
2943:
2940:
2934:
2931:
2929:
2926:
2924:
2921:
2919:
2916:
2914:
2911:
2909:
2906:
2904:
2901:
2900:
2898:
2894:
2888:
2885:
2883:
2880:
2878:
2875:
2873:
2870:
2868:
2865:
2864:
2862:
2858:
2848:
2845:
2843:
2840:
2838:
2835:
2833:
2830:
2828:
2825:
2823:
2820:
2818:
2815:
2813:
2810:
2808:
2805:
2803:
2800:
2798:
2795:
2792:
2788:
2785:
2783:
2780:
2778:
2775:
2772:
2768:
2765:
2764:
2762:
2760:
2756:
2749:
2745:
2744:
2740:
2737:
2734:
2731:
2728:
2725:
2721:
2720:
2716:
2713:
2710:
2708:
2705:
2702:
2699:
2697:
2694:
2691:
2687:
2686:
2682:
2679:
2676:
2674:
2671:
2669:
2666:
2664:
2661:
2659:
2656:
2653:
2650:
2646:
2643:
2640:
2636:
2635:
2631:
2628:
2626:
2623:
2621:
2618:
2616:
2613:
2611:
2608:
2606:
2603:
2601:
2598:
2596:
2593:
2591:
2588:
2585:
2581:
2580:
2576:
2574:
2571:
2569:
2566:
2564:
2561:
2559:
2556:
2554:
2551:
2549:
2546:
2544:
2541:
2539:
2536:
2534:
2531:
2529:
2526:
2524:
2521:
2519:
2516:
2514:
2511:
2510:
2508:
2505:
2500:
2496:
2490:
2487:
2485:
2482:
2480:
2477:
2475:
2472:
2470:
2467:
2465:
2462:
2460:
2457:
2455:
2452:
2450:
2447:
2445:
2442:
2440:
2437:
2435:
2432:
2430:
2427:
2425:
2422:
2420:
2417:
2415:
2412:
2410:
2407:
2405:
2402:
2400:
2397:
2395:
2392:
2390:
2387:
2385:
2382:
2380:
2377:
2375:
2372:
2370:
2367:
2365:
2362:
2360:
2357:
2355:
2352:
2350:
2347:
2345:
2344:
2340:
2338:
2335:
2333:
2330:
2328:
2325:
2323:
2320:
2318:
2317:
2313:
2311:
2308:
2306:
2303:
2301:
2298:
2296:
2293:
2291:
2290:
2286:
2284:
2281:
2279:
2276:
2274:
2271:
2269:
2266:
2264:
2261:
2259:
2256:
2254:
2251:
2249:
2246:
2244:
2241:
2239:
2236:
2234:
2231:
2229:
2226:
2224:
2221:
2219:
2216:
2214:
2211:
2210:
2208:
2205:
2200:
2196:
2190:
2187:
2184:
2180:
2177:
2175:
2172:
2170:
2167:
2165:
2162:
2160:
2157:
2155:
2152:
2150:
2147:
2145:
2142:
2140:
2137:
2135:
2132:
2130:
2127:
2125:
2122:
2120:
2117:
2115:
2112:
2110:
2107:
2105:
2102:
2100:
2097:
2095:
2092:
2090:
2087:
2086:
2084:
2082:
2078:
2072:
2069:
2067:
2064:
2062:
2059:
2057:
2054:
2052:
2049:
2047:
2044:
2040:
2039:WiMAX · d · e
2037:
2036:
2035:
2032:
2030:
2027:
2025:
2022:
2020:
2017:
2015:
2012:
2010:
2007:
2005:
2002:
2000:
1997:
1995:
1992:
1990:
1987:
1985:
1982:
1981:
1979:
1977:
1973:
1970:
1968:
1964:
1958:
1955:
1953:
1950:
1948:
1945:
1943:
1940:
1938:
1935:
1933:
1930:
1928:
1925:
1923:
1920:
1918:
1915:
1913:
1910:
1908:
1905:
1903:
1900:
1898:
1895:
1893:
1890:
1888:
1885:
1883:
1880:
1878:
1875:
1873:
1870:
1868:
1865:
1863:
1860:
1858:
1855:
1853:
1850:
1848:
1845:
1843:
1840:
1838:
1835:
1833:
1830:
1828:
1825:
1823:
1820:
1818:
1815:
1813:
1810:
1808:
1805:
1803:
1800:
1798:
1795:
1793:
1790:
1788:
1785:
1783:
1780:
1778:
1775:
1773:
1770:
1768:
1765:
1763:
1760:
1758:
1755:
1753:
1750:
1748:
1745:
1743:
1740:
1738:
1735:
1733:
1730:
1728:
1725:
1723:
1720:
1718:
1715:
1713:
1710:
1708:
1705:
1703:
1700:
1698:
1695:
1691:
1688:
1687:
1686:
1683:
1681:
1678:
1676:
1673:
1671:
1668:
1667:
1665:
1661:
1657:
1650:
1645:
1643:
1638:
1636:
1631:
1630:
1627:
1620:
1617:
1615:
1611:
1608:
1605:
1603:
1600:
1598:
1595:
1593:
1590:
1588:
1585:
1583:
1580:
1578:
1575:
1574:
1561:
1555:
1551:
1550:
1542:
1528:on 2010-03-04
1527:
1523:
1517:
1503:on 2010-07-06
1502:
1498:
1494:
1488:
1479:
1465:
1461:
1454:
1439:on 2012-11-18
1435:
1428:
1422:
1408:on 2011-06-13
1404:
1397:
1391:
1377:
1376:
1371:
1365:
1350:
1346:
1340:
1325:
1321:
1315:
1301:on 2011-06-17
1300:
1296:
1292:
1286:
1271:
1267:
1261:
1247:on 2010-03-05
1246:
1242:
1238:
1232:
1218:on 2010-11-14
1217:
1213:
1209:
1203:
1188:
1184:
1178:
1176:
1161:on 2010-03-16
1160:
1156:
1152:
1146:
1139:
1128:on 2011-08-24
1127:
1123:
1119:
1113:
1099:on 2008-04-22
1098:
1094:
1090:
1084:
1069:
1065:
1059:
1044:
1040:
1034:
1027:. 2013-01-24.
1026:
1022:
1016:
1009:. 2008-12-16.
1008:
1004:
998:
984:
978:
974:
970:
969:
961:
947:
943:
936:
922:
916:
902:on 2012-10-14
901:
897:
891:
884:
880:
876:
872:
868:
864:
858:
849:
847:
837:
835:
825:
816:
807:
799:
796:
791:
786:
782:
781:
776:
770:
762:
759:
754:
749:
745:
744:
739:
733:
719:
715:
711:
707:
704:Zetter, Kim.
700:
685:
681:
675:
671:
661:
658:
656:
653:
652:
646:
644:
640:
630:
628:
622:
620:
616:
611:
608:
602:
600:
596:
580:
577:
575:
571:
565:
551:
549:
545:
543:
534:
532:
528:
524:
517:Apple devices
514:
512:
508:
504:
494:
491:
481:
478:
470:
464:Windows Vista
461:
458:
456:
445:
442:
438:
436:
430:
422:
420:
416:
412:
408:
404:
400:
398:
394:
390:
388:
384:
380:
376:
372:
367:
365:
361:
357:
353:
342:
339:
331:
321:
317:
313:
309:
303:
302:
297:This section
295:
286:
285:
273:
269:
264:
261:
257:
253:
250:
247:
245:
241:
236:
233:
230:
226:
222:
218:
215:
214:
209:
205:
197:
195:
189:
183:Port entities
180:
178:
174:
170:
160:
158:
152:
150:
146:
141:
137:
133:
129:
128:
127:authenticator
122:
118:
117:
108:
103:
94:
92:
88:
84:
80:
76:
72:
68:
64:
60:
55:
53:
47:
45:
41:
37:
33:
29:
25:
24:IEEE Standard
21:
2945:
2741:
2717:
2683:
2632:
2577:
2341:
2314:
2287:
2133:
1548:
1541:
1530:. Retrieved
1526:the original
1516:
1505:. Retrieved
1501:the original
1487:
1478:
1467:. Retrieved
1463:
1453:
1441:. Retrieved
1434:the original
1421:
1410:. Retrieved
1403:the original
1390:
1379:. Retrieved
1373:
1364:
1353:. Retrieved
1351:. 2023-07-25
1348:
1339:
1328:. Retrieved
1326:. 2023-07-25
1323:
1314:
1303:. Retrieved
1299:the original
1294:
1285:
1274:. Retrieved
1272:. 2009-12-08
1269:
1260:
1249:. Retrieved
1245:the original
1240:
1231:
1220:. Retrieved
1216:the original
1211:
1202:
1191:. Retrieved
1189:. 2010-02-08
1186:
1163:. Retrieved
1159:the original
1154:
1145:
1136:
1130:. Retrieved
1126:the original
1121:
1112:
1101:. Retrieved
1097:the original
1092:
1083:
1072:. Retrieved
1070:. 2007-01-18
1067:
1058:
1047:. Retrieved
1045:. 2009-09-17
1042:
1033:
1024:
1015:
1006:
997:
986:. Retrieved
967:
960:
949:. Retrieved
945:
935:
924:. Retrieved
915:
904:. Retrieved
900:the original
890:
882:
862:
857:
824:
815:
806:
779:
775:"Link Layer"
769:
742:
732:
721:. Retrieved
709:
699:
688:. Retrieved
686:. 2018-04-18
683:
674:
636:
633:Alternatives
627:MAC spoofing
623:
619:IEEE 802.1AR
615:IEEE 802.1AE
612:
603:
591:
588:Shared media
578:
566:
562:
546:
540:
520:
500:
487:
479:
476:
467:
459:
451:
439:
431:
428:
401:
391:
368:
349:
334:
325:
310:by removing
306:Please help
298:
262:
251:
248:
244:
234:
216:
203:
190:
186:
166:
153:
139:
125:
114:
112:
87:IEEE 802.1AR
83:IEEE 802.1AE
56:
50:attached to
48:
19:
18:
2518:legacy mode
570:MAC address
537:Federations
356:Xsupplicant
249:Negotiation
79:IEEE 802.11
20:IEEE 802.1X
2971:Categories
2896:Superseded
1967:802 series
1532:2010-02-10
1507:2010-02-10
1469:2022-07-03
1443:26 January
1412:2010-08-17
1381:2022-07-03
1355:2023-07-25
1330:2023-07-25
1305:2010-03-03
1276:2022-07-03
1251:2010-02-10
1222:2010-03-23
1193:2022-07-03
1165:2010-03-23
1132:2010-02-10
1103:2010-02-10
1074:2022-07-03
1049:2022-07-03
988:2022-07-02
951:2022-07-02
926:2010-02-10
906:2008-07-30
723:2024-02-07
690:2024-04-10
666:References
490:Windows PE
484:Windows PE
448:Windows XP
375:iPod Touch
328:March 2024
308:improve it
235:Initiation
138:; and the
116:supplicant
71:IEEE 802.5
69:Ethernet,
67:IEEE 802.3
32:IEEE 802.1
2771:Bluetooth
718:1059-1028
473:Windows 7
177:EtherType
171:, and in
2977:IEEE 802
2946:See also
2903:754-1985
2860:Proposed
2204:Ethernet
1690:Revision
1610:Archived
869:. 2014.
649:See also
527:macOS 14
441:Wildcard
387:ChromeOS
107:Diameter
97:Overview
63:IEEE 802
2887:P1906.1
2748:Wi-Fi 8
2724:Wi-Fi 7
2690:Wi-Fi 6
2639:Wi-Fi 5
2584:Wi-Fi 4
1663:Current
1375:eduroam
1138:change.
542:eduroam
531:EAP-TLS
425:Windows
407:Windows
383:Android
52:Walmart
2791:Zigbee
2759:802.15
2499:802.11
1737:1149.1
1607:WIRE1x
1556:
979:
716:
574:RADIUS
523:iOS 17
521:As of
435:hotfix
371:iPhone
364:802.11
352:Open1X
272:RADIUS
268:RADIUS
256:RADIUS
243:frame.
240:RADIUS
145:RADIUS
121:client
22:is an
2882:P1823
2877:P1699
2872:P1619
2867:P1363
2649:WiGig
2513:-1997
2504:Wi-Fi
2213:-1983
2199:802.3
2081:802.1
1957:42010
1952:29148
1947:16326
1942:16085
1937:14764
1932:12207
1927:11073
1437:(PDF)
1430:(PDF)
1406:(PDF)
1399:(PDF)
710:Wired
599:IPsec
501:Most
497:Linux
415:macOS
411:Linux
393:macOS
381:2.0.
119:is a
2933:1471
2928:1364
2923:1362
2918:1233
2913:1219
2183:LACP
1922:2050
1917:2030
1912:1905
1907:1904
1902:1902
1897:1901
1892:1900
1887:1855
1882:1850
1877:1849
1872:1815
1867:1801
1862:1800
1857:1733
1852:1722
1847:1685
1842:1675
1837:1667
1832:1666
1827:1619
1822:1613
1817:1603
1812:1596
1807:1588
1802:1584
1797:1547
1792:1541
1787:1516
1782:1497
1777:1451
1772:1394
1767:1355
1762:1284
1757:1278
1752:1275
1747:1164
1742:1154
1732:1076
1727:1016
1722:1014
1717:1003
1554:ISBN
1497:IEEE
1445:2013
977:ISBN
867:IEEE
798:3748
761:3748
714:ISSN
639:IETF
637:The
525:and
413:and
397:10.3
373:and
369:The
227:and
147:and
75:FDDI
44:WLAN
2908:830
2832:.4z
2827:.4g
2822:.4f
2817:.4e
2812:.4d
2807:.4c
2802:.4b
2797:.4a
2124:Qbb
2119:Qaz
2114:Qay
2109:Qat
2104:Qav
2071:.24
2066:.22
2061:.21
2056:.20
2051:.18
2046:.17
2034:.16
2029:.14
2024:.12
2019:.10
1976:802
1712:896
1707:829
1702:828
1697:854
1685:754
1680:730
1675:693
1670:488
879:802
871:doi
795:RFC
785:doi
758:RFC
748:doi
607:DoS
455:SSO
419:NAP
379:iOS
229:UDP
225:TCP
149:EAP
134:or
42:or
40:LAN
2973::
2847:.7
2842:.6
2837:.5
2787:.4
2782:.3
2777:.2
2767:.1
2743:bn
2738:bk
2735:bi
2732:bh
2729:bf
2719:be
2714:bd
2711:bc
2707:bb
2703:ba
2700:az
2696:ay
2685:ax
2680:aq
2677:ak
2673:aj
2668:ai
2663:ah
2658:af
2654:ae
2645:ad
2634:ac
2629:aa
2489:df
2484:de
2479:dd
2474:db
2469:da
2464:cz
2459:cy
2454:cx
2449:cw
2444:cv
2439:cu
2434:ct
2429:cs
2424:cr
2419:cq
2414:cp
2409:cn
2404:cm
2399:ck
2394:ch
2389:cg
2384:ce
2379:cd
2374:cc
2369:cb
2364:ca
2359:bz
2354:by
2349:bu
2343:bt
2337:ba
2332:az
2327:av
2322:au
2316:at
2310:aq
2305:an
2300:ak
2295:ah
2289:af
2283:ae
2278:ad
2273:ac
2268:ab
2189:BA
2179:AX
2174:AS
2169:aq
2164:ak
2159:ah
2154:ag
2149:AE
2144:ad
2139:AB
2014:.9
2009:.8
2004:.7
1999:.6
1994:.5
1989:.4
1984:.2
1495:.
1462:.
1372:.
1347:.
1322:.
1293:.
1268:.
1239:.
1210:.
1185:.
1174:^
1153:.
1135:.
1120:.
1091:.
1066:.
1041:.
1023:.
1005:.
971:.
944:.
881:.
877:.
865:.
845:^
833:^
793:.
777:.
756:.
740:.
712:.
708:.
682:.
548:BT
513:.
409:,
399:.
46:.
2793:)
2789:(
2773:)
2769:(
2750:)
2746:(
2726:)
2722:(
2692:)
2688:(
2651:)
2647:(
2641:)
2637:(
2625:z
2620:y
2615:w
2610:v
2605:u
2600:s
2595:r
2590:p
2586:)
2582:(
2579:n
2573:k
2568:j
2563:i
2558:h
2553:g
2548:f
2543:e
2538:d
2533:c
2528:b
2523:a
2506:)
2502:(
2263:z
2258:y
2253:x
2248:u
2243:j
2238:i
2233:e
2228:d
2223:b
2218:a
2206:)
2202:(
2185:)
2181:(
2134:X
2129:w
2099:Q
2094:p
2089:D
1648:e
1641:t
1634:v
1562:.
1535:.
1510:.
1472:.
1447:.
1415:.
1384:.
1358:.
1333:.
1308:.
1279:.
1254:.
1225:.
1196:.
1168:.
1106:.
1077:.
1052:.
991:.
954:.
929:.
909:.
873::
800:.
787::
763:.
750::
726:.
693:.
341:)
335:(
330:)
326:(
322:.
304:.
109:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.