IEEE 802.1X

IEEE 802.1X is an IEEE Standard for port-based Network Access Control; it is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN port, either establishing a point-to-point connection or preventing access from that port if authentication fails. It is used for most wireless 802.11 access points and is based on the Extensible Authentication Protocol (EAP).

Overview

802.1X provides port-based authentication, which involves communications between a supplicant, authenticator, and authentication server. The supplicant is often software on a client device, such as a laptop, the authenticator is a wired Ethernet switch or wireless access point, and an authentication server is generally a RADIUS database. The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity is authorized. An analogy to this is providing a valid passport at an airport before being allowed to pass through security to the terminal. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the credentials are valid (in the authentication server database), the supplicant (client device) is allowed to access resources located on the protected side of the network. [citeweb|title=802.1xX Port-Based Authentication Concepts|url=http://www.wireless-nets.com/resources/downloads/802.1x_C2.html|accessdate=2008-07-30]

Upon detection of the new client (supplicant), the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as DHCP and HTTP, is blocked at the data link layer. The authenticator sends out the EAP-Request identity to the supplicant, the supplicant responds with the EAP-response packet that the authenticator forwards to the authenticating server. If the authenticating server accepts the request, the authenticator sets the port to the "authorized" mode and normal traffic is allowed. When the supplicant logs off, it sends an EAP-logoff message to the authenticator. The authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.

Implementations

Wireless Access Points

Wi-Fi access point vendors now use 802.11i which implements 802.1X for wireless access points to address the security vulnerabilities found in WEP. The authenticator role is either performed by the access point itself via a pre-shared key (referred to as WPA2-PSK) or for larger enterprises, by a third-party entity, such as a RADIUS server. This provides for client-only authentication or, more appropriately, strong mutual authentication using protocols such as EAP-TLS.

oftware

Windows XP and Windows Vista support 802.1X for all network connections by default. Windows 2000 has support in the latest service pack. Windows Mobile 2003 and later operating systems also come with a native 802.1X client. Windows XP has major issues with an IP address change (Dynamic VLAN) as the result of a user 802.1X validation [ [http://support.microsoft.com/?kbid=935638 Problems when obtaining Group Policy objects, roaming profiles, and logon scripts from a Windows Server 2003-based domain controller] ] , and Microsoft will not backport the SSO feature from Vista which avoids these issues. [ [http://forums.technet.microsoft.com/en-US/winserverNAP/thread/f68dc3f0-744a-4d0f-b85a-87f8bc531fd0/ 802.1x with dynamic vlan switching - Problems with Roaming Profiles] ]

A project for Linux known as Open1X produces an open source client, Xsupplicant. The more general wpa_supplicant can be used for 802.11 wireless networks and wired networks. Both support a very wide range of EAP types. [ [http://hostap.epitest.fi/cgi-bin/viewcvs.cgi/*checkout*/hostap/wpa_supplicant/eap_testing.txt eap_testing.txt from wpa_supplicant] ]

Mac OS X has offered native support since 10.3. The iPhone and iPod Touch support 802.1x as of the release of iPhone OS 2.0. [cite web|url = http://www.apple.com/iphone/enterprise/ |title = Apple - iPhone - Enterprise |accessdate = 2008-07-31]

Vulnerabilities

In the summer of 2005, Microsoft's Steve Riley posted an article detailing a serious vulnerability in the 802.1X protocol, involving a man in the middle attack. In summary, the flaw is in the fact that 802.1X authenticates only at the beginning of the connection, but that after authentication, it's possible for an attacker to use the authenticated port if he has the ability to physically insert himself (perhaps using a workgroup hub) between the authenticated computer and the port. Riley then suggests that for wired networks, using IPSec or a combination of IPSec and 802.1X would be more secure. [ [http://www.microsoft.com/technet/community/columns/secmgmt/sm0805.mspx Steve Riley's article on the 802.1x vulnerabilities] ]

ee also

AEGIS (network)

References

External links

* [http://www.ieee802.org/1/pages/802.1x-2004.html IEEE page on 802.1X]
*
* [http://www.itdojo.com/synner/html/synner2/synner2_p1.htm Using 802.1x port authentication to control who can connect to your network]
* [http://articles.techrepublic.com.com/5100-1035-6148579.html Configure RADIUS for secure 802.1x wireless LAN]
* [http://articles.techrepublic.com.com/5100-1035-6148560.html How to self-sign a RADIUS server for secure 802.1x PEAP or EAP-TTLS authentication]
* [http://wire.cs.nthu.edu.tw/wire1x/ WIRE1x]
* [http://www.microsoft.com/downloads/details.aspx?familyid=05951071-6B20-4CEF-9939-47C397FFD3DD&displaylang=en Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows]

***********************