Editing IEEE 802.1X (section)

==Implementations==
{{Advert section|date=March 2024}}
An open-source project named [[Open1X]] produces a client, [[Xsupplicant]]. This client is currently available for both Linux and Windows. The main drawbacks of the Open1X client are that it does not provide comprehensible and extensive user documentation and that most Linux vendors do not provide a package for it.  The more general [[wpa_supplicant]] can be used for [[802.11]] wireless networks and wired networks.  Both support a very wide range of EAP types.<ref>{{cite web|url=https://w1.fi/cgit/hostap/plain/wpa_supplicant/eap_testing.txt |title=eap_testing.txt from wpa_supplicant |access-date=2010-02-10}}</ref>

The [[iPhone]] and [[iPod Touch]] support 802.1X since the release of [[iOS (Apple)|iOS]] 2.0.
[[Android (operating system)|Android]] has support for 802.1X since the release of 1.6 Donut.
[[ChromeOS]] has supported 802.1X since mid-2011.<ref>{{cite web|url = https://cloud.googleblog.com/2011/08/the-computer-that-keeps-getting-better.html |title = The computer that keeps getting better |first=Rajen |last=Sheth |date=August 10, 2011 |website=Google Cloud Official Blog |access-date = 2022-07-02}}</ref>

[[macOS]] has offered native support since [[Mac OS X v10.3|10.3]].<ref>{{cite book|url = https://books.google.com/books?id=Tdr5DIxmQYgC&pg=PA19 |title = Mac OS X Unwired: A Guide for Home, Office, and the Road |first1 = Tom |last1 = Negrino |first2 = Dori |last2 = Smith| page = 19 |isbn = 978-0596005085 |publisher = [[O'Reilly Media]] |date = 2003 |access-date = 2022-07-02}}</ref>

[[Avenda Systems]] provides a supplicant for [[Windows]], [[Linux]] and [[macOS]].  They also have a plugin for the Microsoft [[Network Access Protection|NAP]] framework.<ref>{{cite web|url=https://docs.microsoft.com/en-us/archive/blogs/nap/nap-clients-for-linux-and-macintosh-are-available |title=NAP clients for Linux and Macintosh are available |work=Network Access Protection (NAP) team blog |date=2008-12-16}}</ref> Avenda also offers health checking agents.

=== Windows ===

Windows defaults to not responding to 802.1X authentication requests for 20 minutes after a failed authentication. This can cause significant disruption to clients.

The block period can be configured using the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dot3svc\BlockTime<ref>{{cite web|url=https://docs.microsoft.com/en-us/archive/blogs/jeff_stokes/20-minute-delay-deploying-windows-7-on-802-1x-fix-it-here |title=20 minute delay deploying Windows 7 on 802.1x? Fix it here!|work=Dude where's my PFE? blog|date=2013-01-24}}</ref> DWORD value (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wlansvc\BlockTime for wireless networks) in the registry (entered in minutes).  A [[hotfix]] is required for Windows XP SP3 and Windows Vista SP2 to make the period configurable.<ref>{{cite web|url=https://support.microsoft.com/en-us/topic/a-windows-xp-based-windows-vista-based-or-windows-server-2008-based-computer-does-not-respond-to-802-1x-authentication-requests-for-20-minutes-after-a-failed-authentication-8fcef6e5-4526-17db-e430-22f1f51a84ad |title=A Windows XP-based, Windows Vista-based or Windows Server 2008-based computer does not respond to 802.1X authentication requests for 20 minutes after a failed authentication |website=Microsoft Support |date=2009-09-17 |access-date=2022-07-03}}</ref>

[[Wildcard certificate|Wildcard]] server certificates are not supported by EAPHost, the Windows component that provides EAP support in the operating system.<ref>{{cite web|url=https://docs.microsoft.com/en-us/previous-versions/cc730460(v=msdn.10)?redirectedfrom=MSDN |title=EAPHost in Windows Vista and Longhorn (January 18, 2006) |website=Microsoft Docs |date=2007-01-18 |access-date=2022-07-03}}</ref> The implication of this is that when using a commercial certification authority, individual certificates must be purchased.

==== Windows XP ====

Windows XP has major issues with its handling of IP address changes resulting from user-based 802.1X authentication that changes the VLAN and thus subnet of clients.<ref>{{cite web|url=http://support.microsoft.com/kb/935638 |title=You experience problems when you try to obtain Group Policy objects, roaming profiles, and logon scripts from a Windows Server 2003-based domain controller |website=Microsoft Support |date=2007-09-14 |access-date=2010-02-10 |archive-url=https://web.archive.org/web/20080422000723/http://support.microsoft.com/kb/935638 |archive-date=2008-04-22}}</ref> Microsoft has stated that it will not backport the [[Single sign-on|SSO]] feature from Vista that resolves these issues.<ref>{{cite web|url=http://social.technet.microsoft.com/forums/en-US/winserverNAP/thread/f68dc3f0-744a-4d0f-b85a-87f8bc531fd0/ |title=802.1x with dynamic vlan switching - Problems with Roaming Profiles |quote=With Vista, this is not a problem at all with the SSO feature, however, this feature does not exist in XP and unfortunately, we do not have any plans to backport this feature to XP as it is just too complex a change. |website=Microsoft TechNet Forums |access-date=2010-02-10 |archive-url=https://web.archive.org/web/20110824194607/http://social.technet.microsoft.com/forums/en-US/winserverNAP/thread/f68dc3f0-744a-4d0f-b85a-87f8bc531fd0/ |archive-date=2011-08-24}}</ref>

If users are not logging in with roaming profiles, a hotfix must be downloaded and installed if authenticating via PEAP with PEAP-MSCHAPv2.<ref>{{cite web|url=http://support.microsoft.com/kb/969111 |title=A Windows XP Service Pack 3-based client computer cannot use the IEEE 802.1X authentication when you use PEAP with PEAP-MSCHAPv2 in a domain |website=Microsoft support |date=2009-04-23 |access-date=2010-03-23 |archive-url=https://web.archive.org/web/20100316162915/http://support.microsoft.com/kb/969111 |archive-date=2010-03-16}}</ref>

==== Windows Vista ====

Windows Vista-based computers that are connected via an IP phone may not authenticate as expected and, as a result, the client can be placed into the wrong VLAN.  A hotfix is available to correct this.<ref name="Support.microsoft.com">{{cite web|url=https://support.microsoft.com/en-us/topic/a-computer-that-is-connected-to-an-ieee-802-1x-authenticated-network-via-another-802-1x-enabled-device-does-not-connect-to-the-correct-network-1ab27ed2-3ccb-fc02-19d2-5fb36b4c0bf2 |title= A computer that is connected to an IEEE 802.1X authenticated network through a VOIP phone does not connect to the correct network after you resume it from Hibernate mode or Sleep mode |website=Microsoft Support |date=2010-02-08 |access-date=2022-07-03}}</ref>

==== Windows 7 ====

Windows 7 based computers that are connected via an IP phone may not authenticate as expected and, consequently, the client can be placed into the wrong VLAN.  A hotfix is available to correct this.<ref name="Support.microsoft.com"/>

Windows 7 does not respond to 802.1X authentication requests after initial 802.1X authentication fails.  This can cause significant disruption to clients.  A hotfix is available to correct this.<ref>{{cite web|url=http://support.microsoft.com/kb/980295 |title=No response to 802.1X authentication requests after authentication fails on a computer that is running Windows 7 or Windows Server 2008 R2 |website=Microsoft Support |date=2010-03-08 |access-date=2010-03-23 |archive-url=https://web.archive.org/web/20101114001734/http://support.microsoft.com/kb/980295 |archive-date=2010-11-14}}</ref>

==== Windows PE ====

[[Windows PE]] does not have native support for 802.1X.  However, support can be added to WinPE 2.1<ref>{{cite web|url=http://support.microsoft.com/kb/975483 |title=Windows PE 2.1 does not support the IEEE 802.1X authentication protocol |website=Microsoft Support |date=2009-12-08 |access-date=2010-02-10 |archive-url=https://web.archive.org/web/20100305170820/http://support.microsoft.com/kb/975483 |archive-date=2010-03-05}}</ref> and WinPE 3.0<ref>{{cite web|url=https://support.microsoft.com/en-us/topic/the-ieee-802-1x-authentication-protocol-is-not-supported-in-windows-preinstall-environment-pe-3-0-a3f0be1d-e688-4925-53ef-49a4139aae3a |title=The IEEE 802.1X authentication protocol is not supported in Windows Preinstall Environment (PE) 3.0 |website=Microsoft Support |date=2009-12-08 |access-date=2022-07-03}}</ref> through hotfixes that are available from Microsoft.  Although full documentation is not yet available, preliminary documentation for the use of these hotfixes is available via a Microsoft blog.<ref>{{cite web|url=http://blogs.technet.com/deploymentguys/archive/2010/03/02/adding-support-for-802-1x-to-winpe.aspx |title=Adding Support for 802.1X to WinPE |work=The Deployment Guys blog |date=2010-03-02 |access-date=2010-03-03 |archive-url=https://web.archive.org/web/20110617114548/http://blogs.technet.com/b/deploymentguys/archive/2010/03/02/adding-support-for-802-1x-to-winpe.aspx |archive-date=2011-06-17}}</ref>

=== Linux ===

Most [[Linux distribution]]s support 802.1X via [[wpa_supplicant]] and desktop integration like [[NetworkManager]].

=== Apple devices ===
As of [[iOS 17]] and [[MacOS Sonoma|macOS 14]], Apple devices support connecting to 802.1X networks using [[Extensible Authentication Protocol|EAP-TLS]] with TLS 1.3 (EAP-TLS 1.3). Additionally, devices running iOS/iPadOS/tvOS 17 or later support wired 802.1X networks.<ref>{{cite web|url=https://developer.apple.com/documentation/ios-ipados-release-notes/ios-ipados-17-release-notes |title=iOS 17 beta 4 developer release notes |website=Apple Developer |date=2023-07-25 |access-date=2023-07-25}}</ref><ref>{{cite web|url=https://developer.apple.com/documentation/macos-release-notes/macos-14-release-notes |title=macOS 14 beta 4 developer release notes |website=Apple Developer |date=2023-07-25 |access-date=2023-07-25}}</ref>

===Federations===
[[eduroam]] (the international roaming service), mandates the use of 802.1X authentication when providing network access to guests visiting from other eduroam-enabled institutions.<ref>{{cite web|url = https://eduroam.org/how/
 |title = How does eduroam work? |website = [[eduroam]] |access-date = 2022-07-03}}</ref>

[[BT Group|BT]] (British Telecom, PLC) employs Identity Federation for authentication in services delivered to a wide variety of industries and governments.<ref>{{cite web|url = http://www.ca.com/files/SuccessStories/bt_ss_165270.pdf
 |title = BT Identity and Access Management |access-date = 2010-08-17 | archive-url = https://web.archive.org/web/20110613160018/http://www.ca.com/files/SuccessStories/bt_ss_165270.pdf | archive-date = 2011-06-13}}</ref>