802.1X / EAP-TLS Authentication Flow
A device proves its identity to the network before the port is opened.
sequenceDiagram
autonumber
participant S as Supplicant
participant A as Authenticator
participant R as RADIUS Server
Note over S: Holds private key and
corporate client certificate Note over A: Sees encrypted EAP and
relays only, never sees secrets Note over R: Validates client cert against
corporate CA and logs the event S->>A: EAPOL-Start, requests to join A->>S: EAP-Request, asks for Identity S->>A: EAP-Response, sends alice at corp A->>R: Access-Request, relays identity R->>S: EAP-Request, begin TLS handshake Note over S,R: TLS mutual handshake, client and
server certs validated against the CA R->>A: Access-Accept and session keys A->>S: Port opened, per-session keys installed Note over S: Now on the network
corporate client certificate Note over A: Sees encrypted EAP and
relays only, never sees secrets Note over R: Validates client cert against
corporate CA and logs the event S->>A: EAPOL-Start, requests to join A->>S: EAP-Request, asks for Identity S->>A: EAP-Response, sends alice at corp A->>R: Access-Request, relays identity R->>S: EAP-Request, begin TLS handshake Note over S,R: TLS mutual handshake, client and
server certs validated against the CA R->>A: Access-Accept and session keys A->>S: Port opened, per-session keys installed Note over S: Now on the network