When devices on your corporate LANs need to connect to other devices, they need a standard method for identifying each other to ensure they are communicating with the device they want to, and that's what 802.1x does.
What is 802.1x authentication?
Whether you are connecting to your LAN or WAN, you require an authentication mechanism to get connected. And, this mechanism is provided by IEEE standard known a 802.1x.
802.1x is a standard for PORT-BASED network access control and it provides you authentication for secure access to networks.
All possible ways of authentication ensure that something which interface with the network system is actually what it claims 'it is.' 802.1x is no exception. There are many variants of it, e.g., 802.11, 802.11b, 802.11g, 802.11n etc. Whenever you want to gain access to a network using any of these, it acts as a protocol that would verify that you are what you say 'you are.' It works for both wireless and wired devices.
If your organisation is dealing with highly-valuable and sensitive information, then you can depend upon 802.1x as a secure method of transporting your data over the network. It is used so that your devices can communicate securely with access points (or enterprise-grade routers). It is being used almost everywhere.
802.1X is often referred to as WPA2-Enterprise.
-
What are key component of 802.1x Authentication?
1. Client-End User/Supplicant
All the devices, wired or wireless, need a software installed on them when they attempt to connect to a 802.1x network. This software is called supplicant. It is needed because its primary purpose is to 'initiate' the connection by engaging in Extensible Authentication Protocol (EAP) communication with the controller or switch. This supplicant collects the credentials of the end-user in a way that matches with 802.1x standard. Thankfully, the vast majority of device manufacturers have built-in support for 802.1x.
2. An Authenticator
An authenticator is device on the network, usually an Access point or switch, that creates the data links to connect the client and the network. It allows or blocks the network traffic as it flows between the client and the network. Your wireless access point and an Ethernet switch are examples of authenticators.
3. An Authentication Server
This the most critical piece of this structure. An authentication server, usually a RADIUS Server, is one that receives all client requests which are asking for access to the network and responds to them. Its purpose is to tell the authenticator, your access point or switch, whether they should allow the connection or reject it. Authentication server also provides the settings that are used to interact with the client’s connections.
----------------
IMPORTANT:
----------------
Authentication servers tend to run software that supports Remote Authentication Dial-In User Service (RADIUS) and EAP protocols. The authentication server can also be run within authenticator hardware. In a wired Ethernet LAN, EAPoL is used to transport EAP packets between Supplicant and an Authenticator over LAN. Before authentication, the identity of the endpoint is unknown and all traffic is blocked except EAPoL. Once the user credentials are successfully verified, other user traffic is permitted.
RADIUS server checks an user’s credentials to see if they are an active member of your organization or not. If they are, then depending on the network policies, it grants your network users varying levels of access to your network. This allows unique credentials or certificates to be used per user, eliminating the dependence on a single network password that can be easily stolen. The RADIUS server is able to do this by communicating with your organization’s directory, typically over the LDAP or SAML protocol.
Your home network is different from a 802.1x network, because it does not use authentication server, i.e., RADIUS server. the Pre-Shared Key network security most often used at home is referred to as WPA2-Personal. WPA2-Personal is not sufficient for any organization dealing with sensitive information and can put your organization at serious risk for cyber-crimes.
-
How does 802.1X Authentication happen?
The 802.1X authentication process is comprised of four steps:
1. Initialization
The Initialization step starts when the authenticator (read, your switch, access-point, controller) detects a new device and attempts to establish a connection. The authenticator port is set to an “unauthorized” state, meaning that only 802.1x traffic will be accepted and every other connection will be dropped.
2. Initiation
The authenticator starts transmitting EAP-request/identity frames to the new device. These frames are tools used to convey a request to identify the device trying to connect. These are sent to a Layer 2 address on your LAN or VLAN. (Layer 2 is the data link layer, such as Point-to-Point Protocol (PPP), and it controls how data moves through the physical connections in your network.)
The new device then sends EAP-responses/identity back to the authenticator. This response usually contains a way to identify the new device. The authenticator receives the EAP response and relays it to the authentication server in a RADIUS access request packet.
3. Negotiation
Once the authentication server receives the request packet, it will respond with a RADIUS access challenge packet containing the 'approved' EAP authentication method for the device. The authenticator will then pass on the challenge packet to the device to be authenticated.
4. Authentication
Once there is agreement between the supplicant and the authentication server in the above phase, EAP responses and requests get transferred between the authentication server and the supplicant, and the authentication server replies with either a success or failure message.
If the authentication process succeeds, the authenticator then designates the port as “authorized” and the new device is configured to the 802.1X network. The state of "authorized" enables normal traffic to pass through.
If the process does not succeed, then the port maintains a state of being “unauthorized.” This results in all non-EAP traffic getting blocked.
-
What is the security of 802.1x?
EAP, the standard authentication protocol, provides the secure METHOD to send the 'identifying' information about the user over the air for network authentication. And 802.1X is the standard that is used for passing EAP over 'wired' and 'wireless' LANs. Thus, 802.1x provides an encrypted EAP tunnel that prevents outside users from intercepting information.
Kindly note that, you can configure EAP protocol for credential (EAP-TTLS/PAP and PEAP-MSCHAPv2) and digital certificate (EAP-TLS) authentication and is a highly secure method for protecting the authentication process. You would often find network admins relying on EAP-TLS and/or PEAP-MSCHAPv2.
Q. Are IEEE 802.1x and Wi-Fi the same?
Well, 802.1x standard was first designed for 'wired' ethernet networks.
Then, there came a little modified version, 802.11x standard. And it has got a trademark name, called 'Wi-Fi.'
That's why, you might be seeing networking professionals using the term '802.1x' for both wired and wireless networks, especially if they are using WPA2-Enterprise security.
As far as security is concerned, you can say that if used correctly, then 802.1x is a gold standard of network authentication security. It ensures that no over-the-air credential thefts happen because of attacks such as Man-in-the-Middle or Evil-Twin. I have already pointed out that it is far more secure than Pre-Shared Key networks, which are typically used in personal networks.
First, you need to recognize that you cannot expect your end-users to configure it themselves. Because, the configuration process requires high-level IT knowledge to understand and if one step is incorrect, they will be left vulnerable to credential theft. That's you should use some dedicated 802.1X onboarding software instead.
Second, your company needs to make a clear choice whether it wants to use credential-based authentication or certificate-based authentication. I would recommend you to opt for Certificate-based EAP-TLS, because it significantly reduces your organization’s risk for credential theft and it is the MOST secure way to use 802.1x. Not only it stops credentials from being sent over the air where they can be easily stolen, but it forces users to go through an enrollment/onboarding process that ensures their devices are configured correctly.
Third, 802.1x is encrypted.
802.1x WPA is generally reserved for personal networks, such as your home Wi-Fi, and runs on RC4-based TKIP (Temporal Key Integrity Protocol) encryption. It’s less secure than WPA2, but usually sufficient for home use. 802.1x WPA2 could still utilize TKIP, but it generally chooses AES (Advanced Encryption Standard), which is the most secure standard available.
The strongest WPA2-Enterprise standard is EAP-TLS. It relies on the asymmetrical cryptography of digital certificates for authentication, which renders it immune to over-the-air attacks. Even if a hacker intercepts the traffic, they will only harvest one half of the public-private key pair – which is useless without the other half. That's why you should use it in your company.
Since you have RADIUS Server at the backend, 802.1x offers you excellent 'Accounting' features too. Your RADIUS server records the information of all devices which are authenticated to your 802.1X network, and the session duration too. After all, RADIUS Servers are often referred to as AAA (Authentication, Authorization, Accounting) servers.
-
A Side Note:
Some client devices, such as wireless printers, don't have the capability of acting as an 802.1X supplicant, but you might want to allow them access to your 802.1X-secured network anyway. Some network equipment vendors allow you to do this by means of what's called MAC authentication by pass (MAB). With MAB, your authentication server can authenticate a client device by means of its MAC address rather than via the EAPOL authentication process outlined above.
-
Kindly write 
your comments on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
_____
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM