IEEE 802.1X

IEEE 802.1X

IEEE 802.1X is an IEEE Standard for port-based Network Access Control; it is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN port, either establishing a point-to-point connection or preventing access from that port if authentication fails. It is used for most wireless 802.11 access points and is based on the Extensible Authentication Protocol (EAP).

Overview

802.1X provides port-based authentication, which involves communications between a supplicant, authenticator, and authentication server. The supplicant is often software on a client device, such as a laptop, the authenticator is a wired Ethernet switch or wireless access point, and an authentication server is generally a RADIUS database. The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity is authorized. An analogy to this is providing a valid passport at an airport before being allowed to pass through security to the terminal. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the credentials are valid (in the authentication server database), the supplicant (client device) is allowed to access resources located on the protected side of the network. [citeweb|title=802.1xX Port-Based Authentication Concepts|url=http://www.wireless-nets.com/resources/downloads/802.1x_C2.html|accessdate=2008-07-30]

Upon detection of the new client (supplicant), the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as DHCP and HTTP, is blocked at the data link layer. The authenticator sends out the EAP-Request identity to the supplicant, the supplicant responds with the EAP-response packet that the authenticator forwards to the authenticating server. If the authenticating server accepts the request, the authenticator sets the port to the "authorized" mode and normal traffic is allowed. When the supplicant logs off, it sends an EAP-logoff message to the authenticator. The authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.

Implementations

Wireless Access Points

Wi-Fi access point vendors now use 802.11i which implements 802.1X for wireless access points to address the security vulnerabilities found in WEP. The authenticator role is either performed by the access point itself via a pre-shared key (referred to as WPA2-PSK) or for larger enterprises, by a third-party entity, such as a RADIUS server. This provides for client-only authentication or, more appropriately, strong mutual authentication using protocols such as EAP-TLS.

oftware

Windows XP and Windows Vista support 802.1X for all network connections by default. Windows 2000 has support in the latest service pack. Windows Mobile 2003 and later operating systems also come with a native 802.1X client. Windows XP has major issues with an IP address change (Dynamic VLAN) as the result of a user 802.1X validation [ [http://support.microsoft.com/?kbid=935638 Problems when obtaining Group Policy objects, roaming profiles, and logon scripts from a Windows Server 2003-based domain controller] ] , and Microsoft will not backport the SSO feature from Vista which avoids these issues. [ [http://forums.technet.microsoft.com/en-US/winserverNAP/thread/f68dc3f0-744a-4d0f-b85a-87f8bc531fd0/ 802.1x with dynamic vlan switching - Problems with Roaming Profiles] ]

A project for Linux known as Open1X produces an open source client, Xsupplicant. The more general wpa_supplicant can be used for 802.11 wireless networks and wired networks. Both support a very wide range of EAP types. [ [http://hostap.epitest.fi/cgi-bin/viewcvs.cgi/*checkout*/hostap/wpa_supplicant/eap_testing.txt eap_testing.txt from wpa_supplicant] ]

Mac OS X has offered native support since 10.3. The iPhone and iPod Touch support 802.1x as of the release of iPhone OS 2.0. [cite web|url = http://www.apple.com/iphone/enterprise/ |title = Apple - iPhone - Enterprise |accessdate = 2008-07-31]

Vulnerabilities

In the summer of 2005, Microsoft's Steve Riley posted an article detailing a serious vulnerability in the 802.1X protocol, involving a man in the middle attack. In summary, the flaw is in the fact that 802.1X authenticates only at the beginning of the connection, but that after authentication, it's possible for an attacker to use the authenticated port if he has the ability to physically insert himself (perhaps using a workgroup hub) between the authenticated computer and the port. Riley then suggests that for wired networks, using IPSec or a combination of IPSec and 802.1X would be more secure. [ [http://www.microsoft.com/technet/community/columns/secmgmt/sm0805.mspx Steve Riley's article on the 802.1x vulnerabilities] ]

ee also

AEGIS (network)

References

External links

* [http://www.ieee802.org/1/pages/802.1x-2004.html IEEE page on 802.1X]
*
* [http://www.itdojo.com/synner/html/synner2/synner2_p1.htm Using 802.1x port authentication to control who can connect to your network]
* [http://articles.techrepublic.com.com/5100-1035-6148579.html Configure RADIUS for secure 802.1x wireless LAN]
* [http://articles.techrepublic.com.com/5100-1035-6148560.html How to self-sign a RADIUS server for secure 802.1x PEAP or EAP-TTLS authentication]
* [http://wire.cs.nthu.edu.tw/wire1x/ WIRE1x]
* [http://www.microsoft.com/downloads/details.aspx?familyid=05951071-6B20-4CEF-9939-47C397FFD3DD&displaylang=en Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows]

***********************


Wikimedia Foundation. 2010.

Игры ⚽ Нужен реферат?

Look at other dictionaries:

  • IEEE 802.11 — is a set of standards for wireless local area network (WLAN) computer communication, developed by the IEEE LAN/MAN Standards Committee (IEEE 802) in the 5 GHz and 2.4 GHz public spectrum bands.General descriptionThe 802.11 family includes over… …   Wikipedia

  • IEEE 802.11 — (auch: Wireless LAN (WLAN), Wi Fi) bezeichnet eine IEEE Norm für Kommunikation in Funknetzwerken. Herausgeber ist das Institute of Electrical and Electronics Engineers (IEEE). Die erste Version des Standards wurde 1997 verabschiedet. Sie… …   Deutsch Wikipedia

  • IEEE 802.3 — est une norme pour les réseaux informatiques édictée par l Institute of Electrical and Electronics Engineers (IEEE). Cette norme est généralement connue sous le nom d Ethernet. C est aussi un sous comité du comité IEEE 802 comprenant plusieurs… …   Wikipédia en Français

  • Ieee 802 — est un comité de l IEEE qui décrit une famille de normes relatives aux réseaux locaux (LAN) et métropolitains (MAN) basés sur la transmission de données numériques par le biais de liaisons filaires ou sans fil. Plus spécifiquement, les normes… …   Wikipédia en Français

  • Ieee 802.3 — est une norme pour les réseaux informatiques édictée par l Institute of Electrical and Electronics Engineers (IEEE). Cette norme est généralement connue sous le nom d Ethernet. C est aussi un sous comité du comité IEEE 802 comprenant plusieurs… …   Wikipédia en Français

  • IEEE 802 — группа стандартов семейства IEEE, касающихся локальных вычислительных сетей (LAN) и сетей мегаполисов (MAN). В частности, стандарты IEEE 802 ограничены сетями с пакетами переменной длины. Число 802 являлось следующим свободным номером для… …   Википедия

  • IEEE 802.15 — is the 15th working group of the IEEE 802 which specializes in Wireless PAN (Personal Area Network) standards. It includes six task groups (numbered from 1 to 6):Task group 1 (WPAN/Bluetooth)IEEE 802.15.1 2002 has derived a Wireless Personal Area …   Wikipedia

  • IEEE 802 — est un comité de l IEEE qui décrit une famille de normes relatives aux réseaux locaux (LAN) et métropolitains (MAN) basés sur la transmission de données numériques par le biais de liaisons filaires ou sans fil. Plus spécifiquement, les normes… …   Wikipédia en Français

  • IEEE 802 — refers to a family of IEEE standards dealing with local area networks and metropolitan area networks.More specifically, the IEEE 802 standards are restricted to networks carrying variable size packets. (By contrast, in cell based networks data is …   Wikipedia

  • IEEE 802.15.4a — (formally called IEEE 802.15.4a 2007) is an amendment to IEEE 802.15.4 (formally called IEEE 802.15.4 20060 specifying that additional physical layers (PHYs) be added to the original standard.OverviewIEEE 802.15.4 2006 specified four different… …   Wikipedia

  • Ieee 802.11 — Exemple d équipement fabriqué sur les recommandations de la norme IEEE 802.11. Ici, un routeur avec switch 4 ports intégré de la marque Linksys. IEEE 802.11 est un terme qui désigne un ensemble de normes concernant les réseaux sans fil qui ont… …   Wikipédia en Français

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”