IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC)("port" meaning a single point of attachment to the LAN infrastructure). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN, either establishing a point-to-point connection or preventing it if authentication fails. It is used for most wireless 802.11 access points and is based on the Extensible Authentication Protocol (EAP).
Contents |
Overview
802.1X provides port-based authentication, which involves communications between a supplicant, authenticator, and authentication server. The supplicant is often software on a client device, such as a laptop; the authenticator is a wired ethernet switch or wireless access point; and the authentication server is typically a host running software capable of speaking the RADIUS and EAP protocols.
The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized. An analogy to this is providing a valid passport at an airport before being allowed to pass through security to the terminal. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the credentials are valid (in the authentication server database), the supplicant (client device) is allowed to access resources located on the protected side of the network.[1]
Protocol operation
Port entities
802.1X-2001 defines two logical port entities for an authenticated port the "controlled port" and the "uncontrolled port". The controlled port is manipulated by the 802.1X PAE (Port Access Entity) to allow (in the authorized state) or prevent (in the unauthorized state) network traffic ingressing and egressing (if administratively configured) to/from the controlled port. The uncontrolled port is used by the 802.1X PAE to transmit and receive EAPOL frames.
802.1X-2004 defines the equivalent port entities for the supplicant; so a supplicant implementing 802.1X-2004 may prevent higher level protocols being used if it is not content that authentication has successfully completed. This is particularly useful when an EAP method providing Mutual Authentication is used, as the supplicant can prevent data leakage when connected to an unauthorized network.
Typical authentication progression
- Initialization On detection of the new client (supplicant), the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as DHCP and HTTP, is blocked at the network layer (Layer 3).
- Initiation To initiate authentication the authenticator will periodically transmit an EAP-Request Identity frame to a special Layer 2 address on the local network segment. The supplicant listens on this address, and on receipt of the EAP-Request Identity frame it responds with an EAP-Response Identity frame (containing an identifier for the supplicant such as a User ID). The authenticator then encapsulates this Identity response (typically encapsulated within a RADIUS Access-Request packet) and forwards it on to the authentication server. The supplicant may also initiate or restart authentication by sending an EAPOL-Start frame to the authenticator (the authenticator will reply with an EAP-Request Identity frame).
- Negotiation The authentication server sends a reply (typically encapsulated within a RADIUS Access-Challenge packet) to the authenticator, containing an EAP Request specifying the EAP Method (The type of EAP based authentication) it wishes the supplicant to perform. The authenticator encapsulates the EAP Request in an EAPOL frame and transmits it to the supplicant. At this point the supplicant can NAK the requested EAP Method and respond with the EAP Methods it's willing to perform, or start the requested EAP Method.
- Authentication If the authentication server and supplicant agree on an EAP Method, EAP Requests and Responses are sent between the supplicant and the authentication server (translated by the authenticator) until the authentication server responds with either an EAP-Success message (typically encapsulated within a RADIUS Access-Accept packet), or an EAP-Failure message (typically encapsulated within a RADIUS Access-Reject packet). If authentication is successful, the authenticator sets the port to the "authorized" mode and normal traffic is allowed. When the supplicant logs off, it sends an EAPOL-logoff message to the authenticator. The authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.
Implementations
Authenticators
Wireless Access Points
Wi-Fi access point vendors now use 802.11i which implements 802.1X for wireless access points to address the security vulnerabilities found in WEP. The authenticator role is either performed by the access point itself via a pre-shared key (referred to as WPA2-PSK) or for larger enterprises, by a third-party entity, such as a RADIUS server. This provides for client-only authentication or, more appropriately, strong mutual authentication using protocols such as EAP-TLS.
Supplicants
Windows XP, Windows Vista, and Windows 7 support 802.1X for all network connections by default. Windows 2000 has support in the latest service pack (SP4) for wired connections. Windows Mobile 2003 and later operating systems also come with a native 802.1X client.
An open source project known as Open1X produces a client, Xsupplicant. This client currently is available for both Linux and Windows. The more general wpa_supplicant can be used for 802.11 wireless networks and wired networks. Both support a very wide range of EAP types.[2]
Mac OS X has offered native support since 10.3. The iPhone and iPod Touch support 802.1X as of the release of iPhone OS 2.0.[3]
Federations
eduroam (the international roaming service), mandates the use of 802.1X authentication when providing network access to guests visiting from other eduroam enabled institutions[4].
Vulnerabilities in 802.1X-2001/2004
In the summer of 2005, Microsoft's Steve Riley posted an article detailing a serious vulnerability in the 802.1X protocol, involving a man in the middle attack. In summary, the flaw is in the fact that 802.1X authenticates only at the beginning of the connection, but that after authentication, it's possible for an attacker to use the authenticated port if he has the ability to physically insert himself (perhaps using a workgroup hub) between the authenticated computer and the port. Riley then suggests that for wired networks, using IPsec or a combination of IPsec and 802.1X would be more secure.[5]
Some vendors have extended the 802.1X 2001/2004 protocol, allowing multiple concurrent authentication sessions to occur on a single port. Whilst this prevents traffic from devices with unauthenticated MAC-Addresses ingressing on an 802.1X authenticated port, it will not stop a malicious device snooping on traffic from an authenticated device and provides no protection against MAC spoofing.
The draft specification 802.1X-REV addresses vulnerabilities in previous 802.1X specifications, by using MACSec IEEE 802.1AE to encrypt data between logical ports (running on top of a physical port) and authenticated devices [6].
General issues
EAPOL-Logoff frames transmitted by the 802.1X supplicant are sent in the clear and contain no data derived from the credential exchange that initially authenticated the client. They are therefore trivially easy to spoof, and can be used as part of a targeted DoS on both wired and wireless LANs. In an EAPOL-Logoff attack a malicious third party with access to the medium the authenticator is attached to, repeatedly sends forged EAPOL-Logoff frames from the target device's MAC Address. The authenticator (believing that the targeted device wishes to end its authentication session) closes the target's authentication session, blocking traffic ingressing from the target, denying it access to the network [7].
Supplicant shortcomings
Windows PE
For most enterprises deploying and rolling out operating systems remotely its worth noting that Windows PE does not have any support for 802.1X. Intel does however support a 802.1X client through Intel vPro and AMT at its hardware layer being able to authenticate at boot.
Windows XP
Windows XP has major issues with an IP-Address/VLAN change as the result of a user 802.1X validation [8], and Microsoft will not backport the SSO feature from Vista which avoids these issues. [9]
See also
References
- ^ "802.1xX Port-Based Authentication Concepts". http://www.wireless-nets.com/resources/downloads/802.1x_C2.html. Retrieved 2008-07-30.
- ^ eap_testing.txt from wpa_supplicant
- ^ "Apple - iPhone - Enterprise". http://www.apple.com/iphone/enterprise/. Retrieved 2008-07-31.
- ^ "Eduroam - About". http://www.eduroam.org/index.php?p=about. Retrieved 2009-11-29.
- ^ Steve Riley's article on the 802.1X vulnerabilities
- ^ "802.1X-REV: Ya’ Heard it Here First!". http://securityuncorked.com/2008/05/8021x-rev-ya-heard-it-here-first/. Retrieved 2009-11-24.
- ^ "EAPOL-Logoff Attack". http://www.manageengine.com/products/wifi-manager/eapol-logoff-attack.html.
- ^ Problems when obtaining Group Policy objects, roaming profiles, and logon scripts from a Windows Server 2003-based domain controller
- ^ 802.1X with dynamic vlan switching - Problems with Roaming Profiles
External links
- IEEE page on 802.1X
- GetIEEE802 Download 802.1X-2001
- GetIEEE802 Download 802.1X-2004
- Using 802.1x port authentication to control who can connect to your network
- Configure RADIUS for secure 802.1x wireless LAN
- How to self-sign a RADIUS server for secure 802.1x PEAP or EAP-TTLS authentication
- WIRE1x
- Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows
This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer)
