802.1X authentication involves three parties: a supplicant, an authenticator, and an
authentication server. The supplicant is a client device (such as a laptop) that wishes to
attach to the LAN/WLAN. The term 'supplicant' is also used interchangeably to refer to the
software running on the client that provides credentials to the authenticator. The
authenticator is a network device, such as an Ethernet switch or wireless access point;
and the authentication server is typically a host running software supporting the RADIUS
and EAP protocols.
The authenticator acts like a security guard to a protected network. The supplicant (i.e.,
client device) is not allowed access through the authenticator to the protected side of the
network until the supplicants identity has been validated and authorized. An analogy to this
is providing a valid visa at the airport's arrival immigration before being allowed to enter the
country. With 802.1X port-based authentication, the supplicant provides credentials, such
as user name/password or digital certificate, to the authenticator, and the authenticator
forwards the credentials to the authentication server for verification. If the authentication
server determines the credentials are valid, the supplicant (client device) is allowed to
access resources located on the protected side of the network.