- IEEE 802.1X
IEEE 802.1X is an
IEEE Standardfor port-based Network Access Control; it is part of the IEEE 802.1group of networking protocols. It provides an authenticationmechanism to devices wishing to attach to a LAN port, either establishing a point-to-point connection or preventing access from that port if authentication fails. It is used for most wireless 802.11 access points and is based on the Extensible Authentication Protocol(EAP).
802.1X provides port-based authentication, which involves communications between a supplicant, authenticator, and authentication server. The supplicant is often software on a client device, such as a laptop, the authenticator is a wired Ethernet switch or wireless access point, and an authentication server is generally a
RADIUSdatabase. The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity is authorized. An analogy to this is providing a valid passport at an airport before being allowed to pass through security to the terminal. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the credentials are valid (in the authentication server database), the supplicant (client device) is allowed to access resources located on the protected side of the network. [citeweb|title=802.1xX Port-Based Authentication Concepts|url=http://www.wireless-nets.com/resources/downloads/802.1x_C2.html|accessdate=2008-07-30]
Upon detection of the new client (supplicant), the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as
DHCPand HTTP, is blocked at the data link layer. The authenticator sends out the EAP-Request identity to the supplicant, the supplicant responds with the EAP-response packet that the authenticator forwards to the authenticating server. If the authenticating server accepts the request, the authenticator sets the port to the "authorized" mode and normal traffic is allowed. When the supplicant logs off, it sends an EAP-logoff message to the authenticator. The authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.
Wireless Access Points
Wi-Fi access pointvendors now use 802.11iwhich implements 802.1X for wireless access points to address the security vulnerabilities found in WEP. The authenticator role is either performed by the access point itself via a pre-shared key(referred to as WPA2-PSK) or for larger enterprises, by a third-party entity, such as a RADIUSserver. This provides for client-only authentication or, more appropriately, strong mutual authentication using protocols such as EAP-TLS.
Windows XPand Windows Vistasupport 802.1X for all network connections by default. Windows 2000has support in the latest service pack. Windows Mobile2003 and later operating systems also come with a native 802.1X client. Windows XP has major issues with an IP address change (Dynamic VLAN) as the result of a user 802.1X validation [ [http://support.microsoft.com/?kbid=935638 Problems when obtaining Group Policy objects, roaming profiles, and logon scripts from a Windows Server 2003-based domain controller] ] , and Microsoft will not backport the SSO feature from Vista which avoids these issues. [ [http://forums.technet.microsoft.com/en-US/winserverNAP/thread/f68dc3f0-744a-4d0f-b85a-87f8bc531fd0/ 802.1x with dynamic vlan switching - Problems with Roaming Profiles] ]
A project for
Linuxknown as Open1Xproduces an open sourceclient, Xsupplicant. The more general wpa_supplicantcan be used for 802.11wireless networks and wired networks. Both support a very wide range of EAP types. [ [http://hostap.epitest.fi/cgi-bin/viewcvs.cgi/*checkout*/hostap/wpa_supplicant/eap_testing.txt eap_testing.txt from wpa_supplicant] ] Mac OS Xhas offered native support since 10.3. The iPhoneand iPod Touchsupport 802.1x as of the release of iPhone OS2.0. [cite web|url = http://www.apple.com/iphone/enterprise/ |title = Apple - iPhone - Enterprise |accessdate = 2008-07-31]
In the summer of 2005, Microsoft's Steve Riley posted an article detailing a serious vulnerability in the 802.1X protocol, involving a man in the middle attack. In summary, the flaw is in the fact that 802.1X authenticates only at the beginning of the connection, but that after authentication, it's possible for an attacker to use the authenticated port if he has the ability to physically insert himself (perhaps using a workgroup hub) between the authenticated computer and the port. Riley then suggests that for wired networks, using
IPSecor a combination of IPSec and 802.1X would be more secure. [ [http://www.microsoft.com/technet/community/columns/secmgmt/sm0805.mspx Steve Riley's article on the 802.1x vulnerabilities] ]
* [http://www.ieee802.org/1/pages/802.1x-2004.html IEEE page on 802.1X]
* [http://www.itdojo.com/synner/html/synner2/synner2_p1.htm Using 802.1x port authentication to control who can connect to your network]
* [http://articles.techrepublic.com.com/5100-1035-6148579.html Configure RADIUS for secure 802.1x wireless LAN]
* [http://articles.techrepublic.com.com/5100-1035-6148560.html How to self-sign a RADIUS server for secure 802.1x PEAP or EAP-TTLS authentication]
* [http://wire.cs.nthu.edu.tw/wire1x/ WIRE1x]
* [http://www.microsoft.com/downloads/details.aspx?familyid=05951071-6B20-4CEF-9939-47C397FFD3DD&displaylang=en Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows]
Wikimedia Foundation. 2010.