Jump to content

IEEE 802.1X

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Ruleke (talk | contribs) at 10:58, 23 November 2009 (→‎Shortcomings). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC)("port" meaning a single point of attachment to the LAN infrastructure). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN, either establishing a point-to-point connection or preventing it if authentication fails. It is used for most wireless 802.11 access points and is based on the Extensible Authentication Protocol (EAP).

Overview

A wireless node must be authenticated before it can gain access to other LAN resources

802.1X requires a public key infrastructure (PKI) and a Remote Authentication Dial-In User Service (RADIUS) infrastructure. 802.1X provides port-based authentication, which involves communications between a supplicant, authenticator, and authentication server. The supplicant is often software on a client device, such as a laptop, the authenticator is a wired Ethernet switch or wireless access point, and an authentication server is generally a RADIUS database. The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity is authorized. An analogy to this is providing a valid passport at an airport before being allowed to pass through security to the terminal. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the credentials are valid (in the authentication server database), the supplicant (client device) is allowed to access resources located on the protected side of the network.[1]

Upon detection of the new client (supplicant), the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as DHCP and HTTP, is blocked at the network layer (Layer 3). The authenticator sends out the EAP-Request identity to the supplicant, the supplicant responds with the EAP-response packet that the authenticator forwards to the authenticating server. If the authenticating server accepts the request, the authenticator sets the port to the "authorized" mode and normal traffic is allowed. When the supplicant logs off, it sends an EAP-logoff message to the authenticator. The authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.

Implementations

Wireless Access Points

Wi-Fi access point vendors now use 802.11i which implements 802.1X for wireless access points to address the security vulnerabilities found in WEP. The authenticator role is either performed by the access point itself via a pre-shared key (referred to as WPA2-PSK) or for larger enterprises, by a third-party entity, such as a RADIUS server. This provides for client-only authentication or, more appropriately, strong mutual authentication using protocols such as EAP-TLS.

Software

Windows XP and Windows Vista support 802.1X for all network connections by default. Windows 2000 has support in the latest service pack. Windows Mobile 2003 and later operating systems also come with a native 802.1X client. Windows XP has major issues with an IP address change (Dynamic VLAN) as the result of a user 802.1X validation [2], and Microsoft will not backport the SSO feature from Vista which avoids these issues. [3]

An open source project known as Open1X produces a client, Xsupplicant. This client currently is available for both Linux and Windows. The more general wpa_supplicant can be used for 802.11 wireless networks and wired networks. Both support a very wide range of EAP types.[4]

Mac OS X has offered native support since 10.3. The iPhone and iPod Touch support 802.1X as of the release of iPhone OS 2.0.[5]

Previous vulnerabilities

In the summer of 2005, Microsoft's Steve Riley posted an article detailing a serious vulnerability in the 802.1X protocol, involving a man in the middle attack. In summary, the flaw is in the fact that 802.1X authenticates only at the beginning of the connection, but that after authentication, it's possible for an attacker to use the authenticated port if he has the ability to physically insert himself (perhaps using a workgroup hub) between the authenticated computer and the port. Riley then suggests that for wired networks, using IPsec or a combination of IPsec and 802.1X would be more secure.[6]

This attack can be dealt with by using Multi-Auth mode authentication in most vendor switches. By doing so each client that connects to the port, including those behind a switch, hub or even a virtual machine running on an authorized client, will have to authenticate to the switch. This effectively secures the network.

Shortcomings

For most enterprises deploying and rolling out operating systems remotely its worth noting that Windows PE does not have any support for 802.1x. Intel does however support a 802.1x client through Intel vPro and AMT at its hardware layer being able to authenticate at boot.

See also

References

  1. ^ "802.1xX Port-Based Authentication Concepts". Retrieved 2008-07-30.
  2. ^ Problems when obtaining Group Policy objects, roaming profiles, and logon scripts from a Windows Server 2003-based domain controller
  3. ^ 802.1X with dynamic vlan switching - Problems with Roaming Profiles
  4. ^ eap_testing.txt from wpa_supplicant
  5. ^ "Apple - iPhone - Enterprise". Retrieved 2008-07-31.
  6. ^ Steve Riley's article on the 802.1X vulnerabilities
Retrieved from "https://en.wikipedia.org/w/index.php?title=IEEE_802.1X&oldid=327455998"