Crash Course: 802.1X: The Great Authenticator

802.1X is a simple protocol with a high level of responsibility. Built for wired networks, then extended to wireless, it provides network-access controls by ensuring appropriate credentials are received. A fully enabled 802.1X architecture won't allow access to unauthorized users: All communication is blocked. Only after authentication can an end-user device transmit or receive network traffic. The protocol also can limit users to particular VLANs and quarantine users whose devices do not pass security muster.

NETWORK ACCESS CONTROL
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

802.1X is not a new protocol, so why is it imperative that it be implemented now? Tougher access-level security, native 802.1X support in both wired and wireless infrastructure, and developments in applications that ensure end-user device integrity make considering a full-scale 802.1X implementation within your enterprise a very desirable option.

Of course, 802.1X is only one piece of enterprise security; other options to consider are strong, multifactor user authentication and a defense-in-depth layered security approach. But 802.1X's flexibility and simplistic way of implementing the right controls and stopgaps at the network's edge make it appropriate for any network.

Security appliances that support 802.1X don't do their jobs alone: They use 802.1X to make informed network-access decisions. These devices (switches and wireless access points, for example) rely heavily on the negotiation between client devices and the back-end authentication infrastructure to validate credentials and perform more process-intensive operations.

Virtual Confinement

When 802.1X was first introduced on wired networks, it used the client device's MAC (Media Access Control) address to determine access control and VLAN assignment. Now the protocol also employs user credentials--including user names and passwords, PKI (public key infrastructure) certificates, RSA SecureID designations and end-user device configuration settings--to ascertain appropriate access. Users can be categorized and segmented, thereby limiting access to network resources based on the level of trust assigned to the credentials presented and the security posture of the end-user device.

In addition, 802.1X can be used to quarantine users. 802.1X can map a user to a particular VLAN ID based on his credentials or his device's security posture. To do this, 802.1X uses EAP (Extensible Authentication Protocol) messages received from the authentication server. If a user's antivirus and anti-spyware software is out-of-date or nonexistent, for instance, the user can be assigned to a quarantined VLAN, and the VLAN can be configured so that the client can download only updates and patches to meet security requirements.

A VLAN-based quarantine can be enabled for any client as it attempts to connect. This prevents clients from spreading potentially harmful worms or viruses. Quarantine actions can be implemented by means other than 802.1X, such as with DHCP or VPN controls, but 802.1X is the most-effective means of suspending access to the network by noncompliant client devices since it affords complete control over VLAN assignment.How It All Fits

An 802.1X setup requires three system components: the supplicant, the authenticator and the authentication server. The supplicant software resides on the client. Supplicants seek access to the network through a wired or wireless access point or switch, which functions as the authenticator. The authenticator takes the 802.1X credentials and proxies them to an authentication server. The authentication server then responds positively or negatively to the authenticator, which tells the supplicant the response and allows or disallows network access.

The supplicant initiates communications with the authenticator by alerting the access device that it supports 802.1X. The authenticator recognizes that the supplicant is prepared to transmit credential information and establishes communication with the authentication server using the RADIUS protocol on the back-end network. (While there are alternatives to RADIUS on the back end, it has rapidly become the de facto protocol for authentication servers.)

Supplicant credentials are tunneled from the client to the authentication server by the authenticator. Prior to authentication, end-user device communication is restricted to authentication-related traffic.

The RADIUS server maintains information about valid users and computers in authenticating supplicants using any of several protocols, the most prominent of which is EAP. This transport protocol supports a variety of one- and two-factor authentication mechanisms.

The authentication server can use valid MAC addresses and/or user credentials, which are used to validate the supplicant. Often, user credentials are not stored on the authentication server. A RADIUS server functions as a central authentication point and can use a proxy authentication method to validate credentials against external sources, such as Microsoft domain servers, Active Directory, NDS or PKI certification authorities. This approach simplifies the deployment of the technology since existing authentication databases, directories and certificate authorities can be maintained without the need to replicate or store new user credentials on the RADIUS server.

The authentication server can return to the authenticator a basic reply message granting network access or, using 802.1X option attributes, direct the authenticator to assign the end-user device to a particular VLAN.

Authentication servers receive credentials from the supplicant by proxy. When higher-level authentication is desired, the supplicant uses 802.1X EAP encapsulation to pass credentials through the authenticator. EAP is flexible and can use a number of authentication methods, including challenge response, biometric, SecureID and PKI. The desired EAP method must be implemented in both the supplicant software and the RADIUS authentication server.

WLAN AuthenticationBecause communication is contained within the cabling connecting an end-user device to the LAN, wired network authentication is significantly less complex than its wireless counterpart. Wireless communications are broadcast openly and can be made private only through cryptographic means, complicating the authentication process.

WLANs use encryption throughout their communications, first to protect credentials and later to protect data communications. 802.1X, EAP and RADIUS are combined in today's WLANs, standardized by IEEE 802.11i and certified by the Wi-Fi Alliance as WPA or WPA2. To learn more about the intricacies of WPA2, see "The ABCs of WPA2 Security," at nwc.com/showArticle.jhtml?articleID=177103376.

The most common authentication methods used in support of 802.1X on a WLAN are the EAP methods: EAP-PEAP, EAP-TLS and EAP-TTLS. EAP-PEAP is a draft IETF standard created by Microsoft and Cisco Systems, and it is the most popular of the EAP methods because of its native support within the latest Microsoft operating systems. EAP-TTLS is also a draft IETF standard and was created by Funk Software (now Juniper Networks). EAP-TLS is the most robust of the three, has been standardized and remains a mandatory component for WPA2 certification. EAP-TLS isn't used as much as its counterparts because it requires PKI certificates for the authentication of both the clients and the authentication server.

All three methods use PKI certificates to establish a tunnel for transmitting credentials. EAP-PEAP and EAP-TTLS support server-side certificates (on the authentication server) and user name-password credentials (on the supplicant). EAP-TLS alternatively uses PKI certificates on both the authentication server and each supplicant.

WLAN infrastructure is often configured to use wireless VLANs--enabling a single access point to advertise and support multiple WLANs over the airwaves in the form of ESSIDs (Extended Service Set IDs)--unique names for wireless LANs. The access point tentatively accepts connections from potential WLAN users and forwards the user's credentials and wireless VLAN information to the authentication server. In most enterprise WLAN systems, the authentication server can instruct the access point to assign the user to a particular wireless VLAN and its associated wired VLAN.WLANs' support of 802.1X is required for both WPA/ WPA2 personal and enterprise certified devices, and it is an integral part of the 802.11i security standard. The Wi-Fi Alliance announced last year its support for multiple EAP methods as part of its interoperability certification. This will ensure authentication is consistent across multivendor WLAN implementations. WPA2 has been instrumental in ensuring that cross-vendor implementations interoperate. The Wi-Fi Alliance's work makes sure any device with WPA2-certified markings can be expected to successfully negotiate authentication credentials with requisite WLAN infrastructure. The Wi-Fi Alliance has also made WPA2 certification mandatory for Wi-Fi device certification.

Surveying the Field

Newbury Networks' WiFi Watchdog lets network administrators apply a building's physical structure to a wireless network. With WiFi Watchdog, for instance, administrators use location servers, access points and floor plans to develop a physical profile of the WLAN environment (known as an RF fingerprint). When client devices attempt to establish a connection to the network via the WLAN, their location is determined by the location server, which instructs multiple nearby access points to take received signal strength measurements of the specific client communications. The location server aggregates the readings and places the client within a specific location on the floor plan. A security policy is applied by the administrator to the floor plan, which lets the location server (along with the authentication server) enforce rules regarding where specific categories of users may connect. This capability lets the administrator implement policies that disallow access to the network from outside the building or that restrict guest access to certain areas of the building. This is important for organizations like the federal government or hospitals that require certain areas of a building to be wireless "dead zones."

Future developments in the 802.1X space are likely to be focused around improved device integrity. The leaders in this space are Cisco, with its Network Admission Control framework; Microsoft, which is planning to release Network Access Protection as part of its upcoming "Longhorn" client OS; and the Trusted Computing Group's Trusted Network Connect.

Cornell W. Robinson III is an associate and wireless security consultant for Booz Allen Hamilton and a Network Computing contributor. He previously was an adjunct professor at Syracuse University and a manager at the Center for Emerging Network Technologies. Write to him at [email protected].0