Networking – Does 802.1X and RADIUS prevent rogue APs


I was discussing with a colleague today and he seemed to think that if you use 802.1X it allows users to realise if they are connecting to a rogue access point.

I dont understand this though, surely if you believe a rogue access point was the genuine one from the beginning, you would just be authenticating to a rogue radius server, instead of the original?

I dont see how 802.1X can stop you from connecting to the false network?

Best Answer

The 802.1x allows for mutual authentication using PKI in some configurations. This can use TLS, which is the protocol used for secure web browsing.

Both the client and AP have a private/public key-pair. The public keys are included in a certificate that is cryptographically signed by a third system that is configured to be trusted on both the client and AP. As long as the private keys and the and the CA is not compromised both machines can use the protocol to mutually authenticate each other.

The downside is that managing all the PKI takes a lot more effort then a simple shared key.

Related Question