604:. In summary, the flaw stems from the fact that 802.1X authenticates only at the beginning of the connection, but after that authentication, it's possible for an attacker to use the authenticated port if they have the ability to physically insert themselves (perhaps using a workgroup hub) between the authenticated computer and the port. Riley suggests that for wired networks the use of
297:
166:. The authenticator forwards these credentials to the authentication server to decide whether access is to be granted. If the authentication server determines the credentials are valid, it informs the authenticator, which in turn allows the supplicant (client device) to access resources located on the protected side of the network.
631:
As a stopgap, until these enhancements are widely implemented, some vendors have extended the 802.1X-2001 and 802.1X-2004 protocol, allowing multiple concurrent authentication sessions to occur on a single port. While this prevents traffic from devices with unauthenticated MAC addresses ingressing on
281:
Access-Reject packet). If authentication is successful, the authenticator sets the port to the "authorized" state and normal traffic is allowed, if it is unsuccessful the port remains in the "unauthorized" state. When the supplicant logs off, it sends an EAPOL-logoff message to the authenticator, the
244:
To initiate authentication the authenticator will periodically transmit EAP-Request
Identity frames to a special Layer 2 address (01:80:C2:00:00:03) on the local network segment. The supplicant listens at this address, and on receipt of the EAP-Request Identity frame, it responds with an EAP-Response
161:
The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant's identity has been validated and authorized. With 802.1X port-based authentication, the
60:
The standard directly addresses an attack technique called
Hardware Addition where an attacker posing as a guest, customer or staff smuggles a hacking device into the building that they then plug into the network giving them full access. A notable example of the issue occurred in 2005 when a machine
194:
802.1X-2001 defines two logical port entities for an authenticated port—the "controlled port" and the "uncontrolled port". The controlled port is manipulated by the 802.1X PAE (Port Access Entity) to allow (in the authorized state) or prevent (in the unauthorized state) network traffic ingress and
616:
on both wired and wireless LANs. In an EAPOL-Logoff attack a malicious third party, with access to the medium the authenticator is attached to, repeatedly sends forged EAPOL-Logoff frames from the target device's MAC Address. The authenticator (believing that the targeted device wishes to end its
149:
is typically a trusted server that can receive and respond to requests for network access, and can tell the authenticator if the connection is to be allowed, and various settings that should apply to that client's connection or setting. Authentication servers typically run software supporting the
574:
One option would be to disable 802.1X on that port, but that leaves that port unprotected and open for abuse. Another slightly more reliable option is to use the MAB option. When MAB is configured on a port, that port will first try to check if the connected device is 802.1X compliant, and if no
570:
Not all devices support 802.1X authentication. Examples include network printers, Ethernet-based electronics like environmental sensors, cameras, and wireless phones. For those devices to be used in a protected network environment, alternative mechanisms must be provided to authenticate them.
265:
Access-Challenge packet) to the authenticator, containing an EAP Request specifying the EAP Method (The type of EAP based authentication it wishes the supplicant to perform). The authenticator encapsulates the EAP Request in an EAPOL frame and transmits it to the supplicant. At this point, the
499:
does not have native support for 802.1X. However, support can be added to WinPE 2.1 and WinPE 3.0 through hotfixes that are available from
Microsoft. Although full documentation is not yet available, preliminary documentation for the use of these hotfixes is available via a Microsoft blog.
198:
802.1X-2004 defines the equivalent port entities for the supplicant; so a supplicant implementing 802.1X-2004 may prevent higher-level protocols from being used if it is not content that authentication has successfully completed. This is particularly useful when an EAP method providing
1012:
272:
If the authentication server and supplicant agree on an EAP Method, EAP Requests and
Responses are sent between the supplicant and the authentication server (translated by the authenticator) until the authentication server responds with either an EAP-Success message (encapsulated in a
611:
EAPOL-Logoff frames transmitted by the 802.1X supplicant are sent in the clear and contain no data derived from the credential exchange that initially authenticated the client. They are therefore trivially easy to spoof on shared media and can be used as part of a targeted
365:. This client is currently available for both Linux and Windows. The main drawbacks of the Open1X client are that it does not provide comprehensible and extensive user documentation and that most Linux vendors do not provide a package for it. The more general
1156:
450:
server certificates are not supported by EAPHost, the
Windows component that provides EAP support in the operating system. The implication of this is that when using a commercial certification authority, individual certificates must be purchased.
249:
Access-Request packet and forwards it on to the authentication server. The supplicant may also initiate or restart authentication by sending an EAPOL-Start frame to the authenticator, which will then reply with an EAP-Request
Identity
439:
The block period can be configured using the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dot3svc\BlockTime DWORD value (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wlansvc\BlockTime for wireless networks) in the registry (entered in minutes). A
215:
459:
Windows XP has major issues with its handling of IP address changes resulting from user-based 802.1X authentication that changes the VLAN and thus subnet of clients. Microsoft has stated that it will not backport the
130:
device (such as a laptop) that wishes to attach to the LAN/WLAN. The term 'supplicant' is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The
1239:
1111:
With Vista, this is not a problem at all with the SSO feature, however, this feature does not exist in XP and unfortunately, we do not have any plans to backport this feature to XP as it is just too complex a
162:
supplicant must initially provide the required credentials to the authenticator - these will have been specified in advance by the network administrator and could include a user name/password or a permitted
599:
In the summer of 2005, Microsoft's Steve Riley posted an article (based on the original research of
Microsoft MVP Svyatoslav Pidgorny) detailing a serious vulnerability in the 802.1X protocol, involving a
475:
Windows Vista-based computers that are connected via an IP phone may not authenticate as expected and, as a result, the client can be placed into the wrong VLAN. A hotfix is available to correct this.
484:
Windows 7 based computers that are connected via an IP phone may not authenticate as expected and, consequently, the client can be placed into the wrong VLAN. A hotfix is available to correct this.
1880:
487:
Windows 7 does not respond to 802.1X authentication requests after initial 802.1X authentication fails. This can cause significant disruption to clients. A hotfix is available to correct this.
226:
On detection of a new supplicant, the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as the
1157:"A computer that is connected to an IEEE 802.1X authenticated network through a VOIP phone does not connect to the correct network after you resume it from Hibernate mode or Sleep mode"
1091:
649:
112:
EAP data is first encapsulated in EAPOL frames between the
Supplicant and Authenticator, then re-encapsulated between the Authenticator and the Authentication server using RADIUS or
1264:
1013:"A Windows XP-based, Windows Vista-based or Windows Server 2008-based computer does not respond to 802.1X authentication requests for 20 minutes after a failed authentication"
551:(the international roaming service), mandates the use of 802.1X authentication when providing network access to guests visiting from other eduroam-enabled institutions.
583:
server to authenticate those MAC addresses, either by adding them as regular users or implementing additional logic to resolve them in a network inventory database.
436:
Windows defaults to not responding to 802.1X authentication requests for 20 minutes after a failed authentication. This can cause significant disruption to clients.
1575:
2087:
1063:"You experience problems when you try to obtain Group Policy objects, roaming profiles, and logon scripts from a Windows Server 2003-based domain controller"
2960:
2855:
1400:
266:
supplicant can start using the requested EAP Method, or do a NAK ("Negative
Acknowledgement") and respond with the EAP Methods it is willing to perform.
994:
100:(Secure Device Identity, DevID) in 802.1X-2010 to support service identification and optional point to point encryption over the internal LAN segment.
632:
an 802.1X authenticated port, it will not stop a malicious device snooping on traffic from an authenticated device and provides no protection against
1620:
137:
is a network device that provides a data link between the client and the network and can allow or block network traffic between the two, such as an
617:
authentication session) closes the target's authentication session, blocking traffic ingressing from the target, denying it access to the network.
109:
1125:"A Windows XP Service Pack 3-based client computer cannot use the IEEE 802.1X authentication when you use PEAP with PEAP-MSCHAPv2 in a domain"
245:
Identity frame containing an identifier for the supplicant such as a User ID. The authenticator then encapsulates this
Identity response in a
1531:
1099:
869:
557:(British Telecom, PLC) employs Identity Federation for authentication in services delivered to a wide variety of industries and governments.
1182:"No response to 802.1X authentication requests after authentication fails on a computer that is running Windows 7 or Windows Server 2008 R2"
467:
If users are not logging in with roaming profiles, a hotfix must be downloaded and installed if authenticating via PEAP with PEAP-MSCHAPv2.
1570:
1565:
1560:
307:
2891:
2881:
976:
2965:
1730:
954:
537:
155:
69:
1369:
1272:
326:
2156:
1675:
620:
The 802.1X-2010 specification, which began as 802.1af, addresses vulnerabilities in previous 802.1X specifications, by using MACsec
344:
1293:
85:
1855:
1466:
645:
2137:
1495:
1037:
575:
reaction is received from the connected device, it will try to authenticate with the AAA server using the connected device's
2955:
2112:
231:
195:
egress to/from the controlled port. The uncontrolled port is used by the 802.1X PAE to transmit and receive EAPOL frames.
76:
networks and over 802.11 wireless networks, which is known as "EAP over LAN" or EAPOL. EAPOL was originally specified for
1613:
652:(PANA), which also carries EAP, although it works at layer 3, using UDP, thus not being tied to the 802 infrastructure.
1433:
1318:
2521:
2082:
1785:
1700:
1680:
540:
with TLS 1.3 (EAP-TLS 1.3). Additionally, devices running iOS/iPadOS/tvOS 17 or later support wired 802.1X networks.
322:
1210:
1181:
1124:
1062:
2924:
1653:
1629:
915:
389:
88:(ANSI X3T9.5/X3T12 and ISO 9314) in 802.1X-2001, but was extended to suit other IEEE 802 LAN technologies such as
2491:
1690:
425:
1583:
120:
802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The
1925:
601:
1407:
2929:
1790:
1780:
1760:
1606:
158:
protocols. In some cases, the authentication server software may be running on the authenticator hardware.
2102:
1663:
235:
163:
38:
2896:
2019:
1755:
200:
142:
122:
282:
authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.
2162:
2092:
1910:
1840:
1240:"The IEEE 802.1X authentication protocol is not supported in Windows Preinstall Environment (PE) 3.0"
801:
764:
447:
2805:
2800:
2795:
2790:
2785:
2780:
2775:
661:
495:
For most enterprises deploying and rolling out operating systems remotely, it is worth noting that
179:
113:
873:
625:
2044:
1920:
894:
509:
127:
50:
203:
is used, as the supplicant can prevent data leakage when connected to an unauthorized network.
2950:
2593:
2588:
2568:
2552:
2546:
2541:
2536:
2531:
2526:
2516:
2511:
2501:
2496:
2132:
1962:
1527:
1521:
950:
946:
720:
666:
227:
2721:
2462:
2457:
2447:
2442:
2437:
2432:
2427:
2422:
2412:
2407:
2402:
2397:
2387:
2382:
2377:
2372:
2357:
2352:
2347:
2342:
2337:
940:
781:
318:
2486:
2152:
1592:
791:
754:
744:
358:
1915:
1587:
1376:
175:
2770:
1900:
1895:
1815:
1765:
517:
513:
461:
409:
403:
366:
138:
108:
46:
444:
is required for Windows XP SP3 and Windows Vista SP2 to make the period configurable.
2944:
2876:
2820:
2815:
2810:
2760:
2755:
2750:
2740:
2716:
2692:
2680:
2669:
2658:
2646:
2641:
2636:
2631:
2618:
2607:
2097:
2077:
1930:
1905:
1835:
1725:
1670:
579:
as username and password. The network administrator then must make provisions on the
133:
34:
1474:
373:
wireless networks and wired networks. Both support a very wide range of EAP types.
2860:
2850:
2598:
2583:
2578:
2573:
2563:
2506:
2147:
2142:
2127:
2122:
2117:
2067:
633:
621:
533:
93:
54:
1499:
1576:
Ultimate wireless security guide: Self-signed certificates for your RADIUS server
2732:
2472:
2226:
2072:
2062:
2039:
2034:
2029:
2024:
2007:
2002:
1992:
804:
785:
767:
748:
576:
385:
362:
89:
1555:
2845:
2840:
2172:
2054:
1987:
1982:
1977:
1972:
1967:
1957:
712:
624:
to encrypt data between logical ports (running on top of a physical port) and
496:
381:
97:
81:
77:
42:
724:
686:
2906:
2886:
2744:
1997:
1890:
1885:
1870:
1860:
1850:
1830:
1825:
1810:
1800:
1795:
1775:
1770:
1750:
1745:
1740:
1735:
1720:
1685:
183:
2177:
1949:
1940:
1658:
1648:
1643:
1550:
1218:
1211:"Windows PE 2.1 does not support the IEEE 802.1X authentication protocol"
1189:
1132:
1070:
554:
393:
73:
2901:
2697:
2663:
2612:
2557:
2452:
2417:
2392:
2367:
2362:
2332:
2327:
2322:
2316:
2310:
2305:
2300:
2295:
2289:
2283:
2278:
2273:
2268:
2262:
2256:
2251:
2246:
2241:
2186:
1820:
1805:
1348:
548:
413:
62:
17:
2764:
2236:
2231:
2221:
2216:
2211:
2206:
2201:
2196:
2191:
1865:
1695:
1580:
1092:"802.1x with dynamic vlan switching - Problems with Roaming Profiles"
796:
759:
580:
529:
441:
377:
370:
278:
274:
262:
246:
151:
277:
Access-Accept packet), or an EAP-Failure message (encapsulated in a
2622:
2477:
2012:
1875:
1715:
605:
421:
417:
399:
214:
107:
92:
wireless in 802.1X-2004. The EAPOL was also modified for use with
1598:
1845:
1710:
1705:
1470:
1602:
713:"Big-Box Breach: The Inside Story of Wal-Mart's Hacker Attack"
613:
290:
995:"20 minute delay deploying Windows 7 on 802.1x? Fix it here!"
536:, Apple devices support connecting to 802.1X networks using
1434:"Mitigating the Threats of Rogue Machines—802.1X or IPsec?"
1343:
608:
or a combination of IPsec and 802.1X would be more secure.
261:
The authentication server sends a reply (encapsulated in a
1038:"EAPHost in Windows Vista and Longhorn (January 18, 2006)"
1520:
Philip Golden; Hervé Dedieu; Krista S. Jacobsen (2007).
1151:
1149:
942:
Mac OS X Unwired: A Guide for Home, Office, and the Road
628:(Secure Device Identity / DevID) authenticated devices.
586:
Many managed Ethernet switches offer options for this.
1406:. p. 622, Revision: A06-March 2011. Archived from
650:
Protocol for Carrying Authentication for Network Access
392:
has support for 802.1X since the release of 1.6 Donut.
314:
428:
framework. Avenda also offers health checking agents.
325:, and by adding encyclopedic content written from a
2869:
2833:
2731:
2471:
2171:
2053:
1948:
1939:
1636:
1496:"IEEE 802.1: 802.1X-2010 - Revision of 802.1X-2004"
977:"NAP clients for Linux and Macintosh are available"
843:
841:
27:
IEEE standard for port-based Network Access Control
855:
853:
211:The typical authentication procedure consists of:
1523:Implementation and Applications of DSL Technology
1467:"2 February 2010 Early Consideration Approvals"
464:feature from Vista that resolves these issues.
65:'s network hacked thousands of their servers.
45:group of networking protocols. It provides an
590:Vulnerabilities in 802.1X-2001 and 802.1X-2004
1614:
424:. They also have a plugin for the Microsoft
68:IEEE 802.1X defines the encapsulation of the
8:
49:mechanism to devices wishing to attach to a
1593:Wired Networking with 802.1X Authentication
870:"802.1X Port-Based Authentication Concepts"
1945:
1621:
1607:
1599:
1526:. Taylor & Francis. pp. 483–484.
218:Sequence diagram of the 802.1X progression
1498:. Ieee802.org. 2010-01-21. Archived from
1401:"Dell PowerConnect 6200 series CLI Guide"
1319:"macOS 14 beta 4 developer release notes"
981:Network Access Protection (NAP) team blog
795:
758:
345:Learn how and when to remove this message
916:"The computer that keeps getting better"
787:Extensible Authentication Protocol (EAP)
750:Extensible Authentication Protocol (EAP)
213:
1294:"iOS 17 beta 4 developer release notes"
678:
306:contains content that is written like
895:"eap_testing.txt from wpa_supplicant"
687:"Hardware Additions, Technique T1200"
396:has supported 802.1X since mid-2011.
7:
1265:"Adding Support for 802.1X to WinPE"
384:support 802.1X since the release of
1370:"BT Identity and Access Management"
939:Negrino, Tom; Smith, Dori (2003).
207:Typical authentication progression
70:Extensible Authentication Protocol
25:
2961:Computer access control protocols
402:has offered native support since
914:Sheth, Rajen (August 10, 2011).
295:
1571:GetIEEE802 Download 802.1X-2001
1566:GetIEEE802 Download 802.1X-2004
1561:GetIEEE802 Download 802.1X-2010
1556:GetIEEE802 Download 802.1X-2020
826:IEEE 802.1X-2001, § 7.1 and 7.2
566:MAB (MAC Authentication Bypass)
1:
516:and desktop integration like
357:An open-source project named
259:(Technically EAP negotiation)
1271:. 2010-03-02. Archived from
1217:. 2009-12-08. Archived from
1188:. 2010-03-08. Archived from
1131:. 2009-04-23. Archived from
1069:. 2007-09-14. Archived from
1432:Riley, Steve (2005-08-09).
745:"EAP Usage Within IEEE 802"
648:-backed alternative is the
636:, or EAPOL-Logoff attacks.
2982:
2925:IEEE Standards Association
920:Google Cloud Official Blog
412:provides a supplicant for
41:(PNAC). It is part of the
2966:Computer network security
2915:
999:Dude where's my PFE? blog
847:IEEE 802.1X-2010, page iv
835:IEEE 802.1X-2004, § 7.6.4
1344:"How does eduroam work?"
1269:The Deployment Guys blog
1096:Microsoft TechNet Forums
602:man in the middle attack
174:EAPOL operates over the
2930:Category:IEEE standards
1456:IEEE 802.1X-2001, § 7.1
561:Proprietary extensions
219:
117:
39:network access control
859:IEEE 802.1X-2010, § 5
817:IEEE 802.1X-2001, § 7
327:neutral point of view
217:
201:mutual authentication
147:authentication server
143:wireless access point
111:
2956:Networking standards
1595:on Microsoft TechNet
1551:IEEE page on 802.1X
662:AEGIS SecureConnect
512:support 802.1X via
510:Linux distributions
361:produces a client,
319:promotional content
180:Ethernet II framing
164:digital certificate
1586:2015-08-22 at the
790:. sec. 7.12.
321:and inappropriate
220:
170:Protocol operation
118:
2938:
2937:
2829:
2828:
1533:978-1-4200-1307-8
1244:Microsoft Support
1215:Microsoft Support
1186:Microsoft Support
1161:Microsoft Support
1129:Microsoft support
1067:Microsoft Support
1017:Microsoft Support
753:. sec. 3.3.
667:IEEE 802.11i-2004
355:
354:
347:
228:Internet Protocol
186:value of 0x888E.
72:(EAP) over wired
16:(Redirected from
2973:
1946:
1623:
1616:
1609:
1600:
1538:
1537:
1517:
1511:
1510:
1508:
1507:
1492:
1486:
1485:
1483:
1482:
1473:. Archived from
1463:
1457:
1454:
1448:
1447:
1445:
1444:
1429:
1423:
1422:
1420:
1418:
1412:
1405:
1397:
1391:
1390:
1388:
1387:
1381:
1375:. Archived from
1374:
1366:
1360:
1359:
1357:
1356:
1340:
1334:
1333:
1331:
1330:
1315:
1309:
1308:
1306:
1305:
1290:
1284:
1283:
1281:
1280:
1261:
1255:
1254:
1252:
1251:
1236:
1230:
1229:
1227:
1226:
1207:
1201:
1200:
1198:
1197:
1178:
1172:
1171:
1169:
1168:
1153:
1144:
1143:
1141:
1140:
1121:
1115:
1114:
1108:
1107:
1098:. Archived from
1088:
1082:
1081:
1079:
1078:
1059:
1053:
1052:
1050:
1049:
1034:
1028:
1027:
1025:
1024:
1009:
1003:
1002:
991:
985:
984:
973:
967:
966:
964:
963:
936:
930:
929:
927:
926:
911:
905:
904:
902:
901:
891:
885:
884:
882:
881:
872:. Archived from
866:
860:
857:
848:
845:
836:
833:
827:
824:
818:
815:
809:
808:
799:
797:10.17487/RFC3748
778:
772:
771:
762:
760:10.17487/RFC3748
741:
735:
734:
732:
731:
708:
702:
701:
699:
698:
691:attack.mitre.org
683:
369:can be used for
350:
343:
339:
336:
330:
308:an advertisement
299:
298:
291:
182:protocol has an
84:Token Ring, and
21:
2981:
2980:
2976:
2975:
2974:
2972:
2971:
2970:
2941:
2940:
2939:
2934:
2911:
2865:
2825:
2727:
2475:
2467:
2175:
2167:
2049:
1935:
1632:
1627:
1588:Wayback Machine
1547:
1542:
1541:
1534:
1519:
1518:
1514:
1505:
1503:
1494:
1493:
1489:
1480:
1478:
1465:
1464:
1460:
1455:
1451:
1442:
1440:
1431:
1430:
1426:
1416:
1414:
1410:
1403:
1399:
1398:
1394:
1385:
1383:
1379:
1372:
1368:
1367:
1363:
1354:
1352:
1342:
1341:
1337:
1328:
1326:
1323:Apple Developer
1317:
1316:
1312:
1303:
1301:
1298:Apple Developer
1292:
1291:
1287:
1278:
1276:
1263:
1262:
1258:
1249:
1247:
1238:
1237:
1233:
1224:
1222:
1209:
1208:
1204:
1195:
1193:
1180:
1179:
1175:
1166:
1164:
1155:
1154:
1147:
1138:
1136:
1123:
1122:
1118:
1105:
1103:
1090:
1089:
1085:
1076:
1074:
1061:
1060:
1056:
1047:
1045:
1036:
1035:
1031:
1022:
1020:
1011:
1010:
1006:
993:
992:
988:
975:
974:
970:
961:
959:
957:
938:
937:
933:
924:
922:
913:
912:
908:
899:
897:
893:
892:
888:
879:
877:
868:
867:
863:
858:
851:
846:
839:
834:
830:
825:
821:
816:
812:
780:
779:
775:
743:
742:
738:
729:
727:
710:
709:
705:
696:
694:
685:
684:
680:
675:
658:
642:
597:
592:
568:
563:
546:
526:
506:
493:
482:
473:
457:
434:
351:
340:
334:
331:
312:
300:
296:
289:
287:Implementations
230:(and with that
209:
192:
176:data link layer
172:
139:Ethernet switch
106:
96:("MACsec") and
37:for port-based
28:
23:
22:
15:
12:
11:
5:
2979:
2977:
2969:
2968:
2963:
2958:
2953:
2943:
2942:
2936:
2935:
2933:
2932:
2927:
2922:
2916:
2913:
2912:
2910:
2909:
2904:
2899:
2894:
2889:
2884:
2879:
2873:
2871:
2867:
2866:
2864:
2863:
2858:
2853:
2848:
2843:
2837:
2835:
2831:
2830:
2827:
2826:
2824:
2823:
2818:
2813:
2808:
2803:
2798:
2793:
2788:
2783:
2778:
2773:
2768:
2758:
2753:
2748:
2737:
2735:
2729:
2728:
2726:
2725:
2713:
2710:
2707:
2704:
2701:
2689:
2686:
2683:
2678:
2675:
2672:
2667:
2655:
2652:
2649:
2644:
2639:
2634:
2629:
2626:
2616:
2604:
2601:
2596:
2591:
2586:
2581:
2576:
2571:
2566:
2561:
2549:
2544:
2539:
2534:
2529:
2524:
2519:
2514:
2509:
2504:
2499:
2494:
2489:
2483:
2481:
2469:
2468:
2466:
2465:
2460:
2455:
2450:
2445:
2440:
2435:
2430:
2425:
2420:
2415:
2410:
2405:
2400:
2395:
2390:
2385:
2380:
2375:
2370:
2365:
2360:
2355:
2350:
2345:
2340:
2335:
2330:
2325:
2320:
2313:
2308:
2303:
2298:
2293:
2286:
2281:
2276:
2271:
2266:
2259:
2254:
2249:
2244:
2239:
2234:
2229:
2224:
2219:
2214:
2209:
2204:
2199:
2194:
2189:
2183:
2181:
2169:
2168:
2166:
2165:
2160:
2150:
2145:
2140:
2135:
2130:
2125:
2120:
2115:
2110:
2105:
2100:
2095:
2090:
2085:
2080:
2075:
2070:
2065:
2059:
2057:
2051:
2050:
2048:
2047:
2042:
2037:
2032:
2027:
2022:
2017:
2016:
2015:
2005:
2000:
1995:
1990:
1985:
1980:
1975:
1970:
1965:
1960:
1954:
1952:
1943:
1937:
1936:
1934:
1933:
1928:
1923:
1918:
1913:
1908:
1903:
1898:
1893:
1888:
1883:
1878:
1873:
1868:
1863:
1858:
1853:
1848:
1843:
1838:
1833:
1828:
1823:
1818:
1813:
1808:
1803:
1798:
1793:
1788:
1783:
1778:
1773:
1768:
1763:
1758:
1753:
1748:
1743:
1738:
1733:
1728:
1723:
1718:
1713:
1708:
1703:
1698:
1693:
1688:
1683:
1678:
1673:
1668:
1667:
1666:
1656:
1651:
1646:
1640:
1638:
1634:
1633:
1630:IEEE standards
1628:
1626:
1625:
1618:
1611:
1603:
1597:
1596:
1590:
1578:
1573:
1568:
1563:
1558:
1553:
1546:
1545:External links
1543:
1540:
1539:
1532:
1512:
1487:
1458:
1449:
1438:Microsoft Docs
1424:
1392:
1361:
1335:
1310:
1285:
1256:
1231:
1202:
1173:
1145:
1116:
1083:
1054:
1042:Microsoft Docs
1029:
1004:
986:
968:
956:978-0596005085
955:
949:. p. 19.
947:O'Reilly Media
931:
906:
886:
861:
849:
837:
828:
819:
810:
773:
736:
703:
677:
676:
674:
671:
670:
669:
664:
657:
654:
641:
638:
596:
593:
591:
588:
567:
564:
562:
559:
545:
542:
525:
522:
518:NetworkManager
514:wpa_supplicant
505:
502:
492:
489:
481:
478:
472:
469:
456:
453:
433:
430:
410:Avenda Systems
367:wpa_supplicant
353:
352:
323:external links
303:
301:
294:
288:
285:
284:
283:
270:Authentication
267:
253:
239:
238:), is dropped.
224:Initialization
208:
205:
191:
188:
171:
168:
105:
102:
47:authentication
26:
24:
14:
13:
10:
9:
6:
4:
3:
2:
2978:
2967:
2964:
2962:
2959:
2957:
2954:
2952:
2949:
2948:
2946:
2931:
2928:
2926:
2923:
2921:
2918:
2917:
2914:
2908:
2905:
2903:
2900:
2898:
2895:
2893:
2890:
2888:
2885:
2883:
2880:
2878:
2875:
2874:
2872:
2868:
2862:
2859:
2857:
2854:
2852:
2849:
2847:
2844:
2842:
2839:
2838:
2836:
2832:
2822:
2819:
2817:
2814:
2812:
2809:
2807:
2804:
2802:
2799:
2797:
2794:
2792:
2789:
2787:
2784:
2782:
2779:
2777:
2774:
2772:
2769:
2766:
2762:
2759:
2757:
2754:
2752:
2749:
2746:
2742:
2739:
2738:
2736:
2734:
2730:
2723:
2719:
2718:
2714:
2711:
2708:
2705:
2702:
2699:
2695:
2694:
2690:
2687:
2684:
2682:
2679:
2676:
2673:
2671:
2668:
2665:
2661:
2660:
2656:
2653:
2650:
2648:
2645:
2643:
2640:
2638:
2635:
2633:
2630:
2627:
2624:
2620:
2617:
2614:
2610:
2609:
2605:
2602:
2600:
2597:
2595:
2592:
2590:
2587:
2585:
2582:
2580:
2577:
2575:
2572:
2570:
2567:
2565:
2562:
2559:
2555:
2554:
2550:
2548:
2545:
2543:
2540:
2538:
2535:
2533:
2530:
2528:
2525:
2523:
2520:
2518:
2515:
2513:
2510:
2508:
2505:
2503:
2500:
2498:
2495:
2493:
2490:
2488:
2485:
2484:
2482:
2479:
2474:
2470:
2464:
2461:
2459:
2456:
2454:
2451:
2449:
2446:
2444:
2441:
2439:
2436:
2434:
2431:
2429:
2426:
2424:
2421:
2419:
2416:
2414:
2411:
2409:
2406:
2404:
2401:
2399:
2396:
2394:
2391:
2389:
2386:
2384:
2381:
2379:
2376:
2374:
2371:
2369:
2366:
2364:
2361:
2359:
2356:
2354:
2351:
2349:
2346:
2344:
2341:
2339:
2336:
2334:
2331:
2329:
2326:
2324:
2321:
2319:
2318:
2314:
2312:
2309:
2307:
2304:
2302:
2299:
2297:
2294:
2292:
2291:
2287:
2285:
2282:
2280:
2277:
2275:
2272:
2270:
2267:
2265:
2264:
2260:
2258:
2255:
2253:
2250:
2248:
2245:
2243:
2240:
2238:
2235:
2233:
2230:
2228:
2225:
2223:
2220:
2218:
2215:
2213:
2210:
2208:
2205:
2203:
2200:
2198:
2195:
2193:
2190:
2188:
2185:
2184:
2182:
2179:
2174:
2170:
2164:
2161:
2158:
2154:
2151:
2149:
2146:
2144:
2141:
2139:
2136:
2134:
2131:
2129:
2126:
2124:
2121:
2119:
2116:
2114:
2111:
2109:
2106:
2104:
2101:
2099:
2096:
2094:
2091:
2089:
2086:
2084:
2081:
2079:
2076:
2074:
2071:
2069:
2066:
2064:
2061:
2060:
2058:
2056:
2052:
2046:
2043:
2041:
2038:
2036:
2033:
2031:
2028:
2026:
2023:
2021:
2018:
2014:
2013:WiMAX · d · e
2011:
2010:
2009:
2006:
2004:
2001:
1999:
1996:
1994:
1991:
1989:
1986:
1984:
1981:
1979:
1976:
1974:
1971:
1969:
1966:
1964:
1961:
1959:
1956:
1955:
1953:
1951:
1947:
1944:
1942:
1938:
1932:
1929:
1927:
1924:
1922:
1919:
1917:
1914:
1912:
1909:
1907:
1904:
1902:
1899:
1897:
1894:
1892:
1889:
1887:
1884:
1882:
1879:
1877:
1874:
1872:
1869:
1867:
1864:
1862:
1859:
1857:
1854:
1852:
1849:
1847:
1844:
1842:
1839:
1837:
1834:
1832:
1829:
1827:
1824:
1822:
1819:
1817:
1814:
1812:
1809:
1807:
1804:
1802:
1799:
1797:
1794:
1792:
1789:
1787:
1784:
1782:
1779:
1777:
1774:
1772:
1769:
1767:
1764:
1762:
1759:
1757:
1754:
1752:
1749:
1747:
1744:
1742:
1739:
1737:
1734:
1732:
1729:
1727:
1724:
1722:
1719:
1717:
1714:
1712:
1709:
1707:
1704:
1702:
1699:
1697:
1694:
1692:
1689:
1687:
1684:
1682:
1679:
1677:
1674:
1672:
1669:
1665:
1662:
1661:
1660:
1657:
1655:
1652:
1650:
1647:
1645:
1642:
1641:
1639:
1635:
1631:
1624:
1619:
1617:
1612:
1610:
1605:
1604:
1601:
1594:
1591:
1589:
1585:
1582:
1579:
1577:
1574:
1572:
1569:
1567:
1564:
1562:
1559:
1557:
1554:
1552:
1549:
1548:
1544:
1535:
1529:
1525:
1524:
1516:
1513:
1502:on 2010-03-04
1501:
1497:
1491:
1488:
1477:on 2010-07-06
1476:
1472:
1468:
1462:
1459:
1453:
1450:
1439:
1435:
1428:
1425:
1413:on 2012-11-18
1409:
1402:
1396:
1393:
1382:on 2011-06-13
1378:
1371:
1365:
1362:
1351:
1350:
1345:
1339:
1336:
1324:
1320:
1314:
1311:
1299:
1295:
1289:
1286:
1275:on 2011-06-17
1274:
1270:
1266:
1260:
1257:
1245:
1241:
1235:
1232:
1221:on 2010-03-05
1220:
1216:
1212:
1206:
1203:
1192:on 2010-11-14
1191:
1187:
1183:
1177:
1174:
1162:
1158:
1152:
1150:
1146:
1135:on 2010-03-16
1134:
1130:
1126:
1120:
1117:
1113:
1102:on 2011-08-24
1101:
1097:
1093:
1087:
1084:
1073:on 2008-04-22
1072:
1068:
1064:
1058:
1055:
1043:
1039:
1033:
1030:
1018:
1014:
1008:
1005:
1001:. 2013-01-24.
1000:
996:
990:
987:
983:. 2008-12-16.
982:
978:
972:
969:
958:
952:
948:
944:
943:
935:
932:
921:
917:
910:
907:
896:
890:
887:
876:on 2012-10-14
875:
871:
865:
862:
856:
854:
850:
844:
842:
838:
832:
829:
823:
820:
814:
811:
806:
803:
798:
793:
789:
788:
783:
777:
774:
769:
766:
761:
756:
752:
751:
746:
740:
737:
726:
722:
718:
714:
711:Zetter, Kim.
707:
704:
692:
688:
682:
679:
672:
668:
665:
663:
660:
659:
655:
653:
651:
647:
639:
637:
635:
629:
627:
623:
618:
615:
609:
607:
603:
594:
589:
587:
584:
582:
578:
572:
565:
560:
558:
556:
552:
550:
543:
541:
539:
535:
531:
524:Apple devices
523:
521:
519:
515:
511:
503:
501:
498:
490:
488:
485:
479:
477:
471:Windows Vista
470:
468:
465:
463:
454:
452:
449:
445:
443:
437:
431:
429:
427:
423:
419:
415:
411:
407:
405:
401:
397:
395:
391:
387:
383:
379:
374:
372:
368:
364:
360:
349:
346:
338:
328:
324:
320:
316:
310:
309:
304:This section
302:
293:
292:
286:
280:
276:
271:
268:
264:
260:
257:
254:
252:
248:
243:
240:
237:
233:
229:
225:
222:
221:
216:
212:
206:
204:
202:
196:
190:Port entities
189:
187:
185:
181:
177:
169:
167:
165:
159:
157:
153:
148:
144:
140:
136:
135:
134:authenticator
129:
125:
124:
115:
110:
103:
101:
99:
95:
91:
87:
83:
79:
75:
71:
66:
64:
58:
56:
52:
48:
44:
40:
36:
35:IEEE Standard
32:
19:
2919:
2715:
2691:
2657:
2606:
2551:
2315:
2288:
2261:
2107:
1522:
1515:
1504:. Retrieved
1500:the original
1490:
1479:. Retrieved
1475:the original
1461:
1452:
1441:. Retrieved
1437:
1427:
1415:. Retrieved
1408:the original
1395:
1384:. Retrieved
1377:the original
1364:
1353:. Retrieved
1347:
1338:
1327:. Retrieved
1325:. 2023-07-25
1322:
1313:
1302:. Retrieved
1300:. 2023-07-25
1297:
1288:
1277:. Retrieved
1273:the original
1268:
1259:
1248:. Retrieved
1246:. 2009-12-08
1243:
1234:
1223:. Retrieved
1219:the original
1214:
1205:
1194:. Retrieved
1190:the original
1185:
1176:
1165:. Retrieved
1163:. 2010-02-08
1160:
1137:. Retrieved
1133:the original
1128:
1119:
1110:
1104:. Retrieved
1100:the original
1095:
1086:
1075:. Retrieved
1071:the original
1066:
1057:
1046:. Retrieved
1044:. 2007-01-18
1041:
1032:
1021:. Retrieved
1019:. 2009-09-17
1016:
1007:
998:
989:
980:
971:
960:. Retrieved
941:
934:
923:. Retrieved
919:
909:
898:. Retrieved
889:
878:. Retrieved
874:the original
864:
831:
822:
813:
786:
782:"Link Layer"
776:
749:
739:
728:. Retrieved
716:
706:
695:. Retrieved
693:. 2018-04-18
690:
681:
643:
640:Alternatives
634:MAC spoofing
630:
626:IEEE 802.1AR
622:IEEE 802.1AE
619:
610:
598:
595:Shared media
585:
573:
569:
553:
547:
527:
507:
494:
486:
483:
474:
466:
458:
446:
438:
435:
408:
398:
375:
356:
341:
332:
317:by removing
313:Please help
305:
269:
258:
255:
251:
241:
223:
210:
197:
193:
173:
160:
146:
132:
121:
119:
98:IEEE 802.1AR
94:IEEE 802.1AE
67:
61:attached to
59:
30:
29:
2492:legacy mode
577:MAC address
544:Federations
363:Xsupplicant
256:Negotiation
90:IEEE 802.11
31:IEEE 802.1X
2945:Categories
2870:Superseded
1941:802 series
1506:2010-02-10
1481:2010-02-10
1443:2022-07-03
1417:26 January
1386:2010-08-17
1355:2022-07-03
1329:2023-07-25
1304:2023-07-25
1279:2010-03-03
1250:2022-07-03
1225:2010-02-10
1196:2010-03-23
1167:2022-07-03
1139:2010-03-23
1106:2010-02-10
1077:2010-02-10
1048:2022-07-03
1023:2022-07-03
962:2022-07-02
925:2022-07-02
900:2010-02-10
880:2008-07-30
730:2024-02-07
697:2024-04-10
673:References
497:Windows PE
491:Windows PE
455:Windows XP
382:iPod Touch
335:March 2024
315:improve it
242:Initiation
145:; and the
123:supplicant
82:IEEE 802.5
80:Ethernet,
78:IEEE 802.3
43:IEEE 802.1
2745:Bluetooth
725:1059-1028
480:Windows 7
184:EtherType
178:, and in
2951:IEEE 802
2920:See also
2877:754-1985
2834:Proposed
2178:Ethernet
1664:Revision
1584:Archived
656:See also
534:macOS 14
448:Wildcard
394:ChromeOS
114:Diameter
104:Overview
74:IEEE 802
2861:P1906.1
2722:Wi-Fi 8
2698:Wi-Fi 7
2664:Wi-Fi 6
2613:Wi-Fi 5
2558:Wi-Fi 4
1637:Current
1349:eduroam
1112:change.
549:eduroam
538:EAP-TLS
432:Windows
414:Windows
390:Android
63:Walmart
2765:Zigbee
2733:802.15
2473:802.11
1711:1149.1
1581:WIRE1x
1530:
953:
723:
581:RADIUS
530:iOS 17
528:As of
442:hotfix
378:iPhone
371:802.11
359:Open1X
279:RADIUS
275:RADIUS
263:RADIUS
250:frame.
247:RADIUS
152:RADIUS
128:client
33:is an
18:802.1x
2856:P1823
2851:P1699
2846:P1619
2841:P1363
2623:WiGig
2487:-1997
2478:Wi-Fi
2187:-1983
2173:802.3
2055:802.1
1931:42010
1926:29148
1921:16326
1916:16085
1911:14764
1906:12207
1901:11073
1411:(PDF)
1404:(PDF)
1380:(PDF)
1373:(PDF)
717:Wired
606:IPsec
508:Most
504:Linux
422:macOS
418:Linux
400:macOS
388:2.0.
126:is a
2907:1471
2902:1364
2897:1362
2892:1233
2887:1219
2157:LACP
1896:2050
1891:2030
1886:1905
1881:1904
1876:1902
1871:1901
1866:1900
1861:1855
1856:1850
1851:1849
1846:1815
1841:1801
1836:1800
1831:1733
1826:1722
1821:1685
1816:1675
1811:1667
1806:1666
1801:1619
1796:1613
1791:1603
1786:1596
1781:1588
1776:1584
1771:1547
1766:1541
1761:1516
1756:1497
1751:1451
1746:1394
1741:1355
1736:1284
1731:1278
1726:1275
1721:1164
1716:1154
1706:1076
1701:1016
1696:1014
1691:1003
1528:ISBN
1471:IEEE
1419:2013
951:ISBN
805:3748
768:3748
721:ISSN
646:IETF
644:The
532:and
420:and
404:10.3
380:and
376:The
234:and
154:and
86:FDDI
55:WLAN
2882:830
2806:.4z
2801:.4g
2796:.4f
2791:.4e
2786:.4d
2781:.4c
2776:.4b
2771:.4a
2098:Qbb
2093:Qaz
2088:Qay
2083:Qat
2078:Qav
2045:.24
2040:.22
2035:.21
2030:.20
2025:.18
2020:.17
2008:.16
2003:.14
1998:.12
1993:.10
1950:802
1686:896
1681:829
1676:828
1671:854
1659:754
1654:730
1649:693
1644:488
802:RFC
792:doi
765:RFC
755:doi
614:DoS
462:SSO
426:NAP
386:iOS
236:UDP
232:TCP
156:EAP
141:or
53:or
51:LAN
2947::
2821:.7
2816:.6
2811:.5
2761:.4
2756:.3
2751:.2
2741:.1
2717:bn
2712:bk
2709:bi
2706:bh
2703:bf
2693:be
2688:bd
2685:bc
2681:bb
2677:ba
2674:az
2670:ay
2659:ax
2654:aq
2651:ak
2647:aj
2642:ai
2637:ah
2632:af
2628:ae
2619:ad
2608:ac
2603:aa
2463:df
2458:de
2453:dd
2448:db
2443:da
2438:cz
2433:cy
2428:cx
2423:cw
2418:cv
2413:cu
2408:ct
2403:cs
2398:cr
2393:cq
2388:cp
2383:cn
2378:cm
2373:ck
2368:ch
2363:cg
2358:ce
2353:cd
2348:cc
2343:cb
2338:ca
2333:bz
2328:by
2323:bu
2317:bt
2311:ba
2306:az
2301:av
2296:au
2290:at
2284:aq
2279:an
2274:ak
2269:ah
2263:af
2257:ae
2252:ad
2247:ac
2242:ab
2163:BA
2153:AX
2148:AS
2143:aq
2138:ak
2133:ah
2128:ag
2123:AE
2118:ad
2113:AB
1988:.9
1983:.8
1978:.7
1973:.6
1968:.5
1963:.4
1958:.2
1469:.
1436:.
1346:.
1321:.
1296:.
1267:.
1242:.
1213:.
1184:.
1159:.
1148:^
1127:.
1109:.
1094:.
1065:.
1040:.
1015:.
997:.
979:.
945:.
918:.
852:^
840:^
800:.
784:.
763:.
747:.
719:.
715:.
689:.
555:BT
520:.
416:,
406:.
57:.
2767:)
2763:(
2747:)
2743:(
2724:)
2720:(
2700:)
2696:(
2666:)
2662:(
2625:)
2621:(
2615:)
2611:(
2599:z
2594:y
2589:w
2584:v
2579:u
2574:s
2569:r
2564:p
2560:)
2556:(
2553:n
2547:k
2542:j
2537:i
2532:h
2527:g
2522:f
2517:e
2512:d
2507:c
2502:b
2497:a
2480:)
2476:(
2237:z
2232:y
2227:x
2222:u
2217:j
2212:i
2207:e
2202:d
2197:b
2192:a
2180:)
2176:(
2159:)
2155:(
2108:X
2103:w
2073:Q
2068:p
2063:D
1622:e
1615:t
1608:v
1536:.
1509:.
1484:.
1446:.
1421:.
1389:.
1358:.
1332:.
1307:.
1282:.
1253:.
1228:.
1199:.
1170:.
1142:.
1080:.
1051:.
1026:.
965:.
928:.
903:.
883:.
807:.
794::
770:.
757::
733:.
700:.
348:)
342:(
337:)
333:(
329:.
311:.
116:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
