Authentication with the IEEE 802.1X Standard
The IEEE 802.1X standard defines port-based, network access control used to provide authenticated network access for Ethernet networks. This port-based network access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. Access to the port can be denied if the authentication process fails. Although this standard was designed for wired Ethernet networks, it has been adapted for use on 802.11 wireless LANs.
Elements of 802.1X
IEEE 802.1X defines the following terms, as described in the following sections:
Port access entity
Figure 2-5 shows these components for a wireless LAN network.
Figure 2-5. The components of IEEE 802.1X authentication.
- Port access entity
A LAN port, also known as port access entity (PAE), is the logical entity that supports the IEEE 802.1X protocol that is associated with a port. A PAE can adopt the role of the authenticator, the supplicant, or both.
An authenticator is a LAN port that enforces authentication before allowing access to services accessible using that port. For wireless connections, the authenticator is the logical LAN port on a wireless AP through which wireless clients in infrastructure mode gain access to other wireless clients and the wired network.
The supplicant is a LAN port that requests access to services accessible using the authenticator. For wireless connections, the supplicant is the logical LAN port on a wireless LAN network adapter that requests access to the other wireless clients and the wired network by associating with and then authenticating itself to an authenticator.
Whether for wireless connections or wired Ethernet connections, the supplicant and authenticator are connected by a logical or physical point-to-point LAN segment.
- Authentication server
To verify the credentials of the supplicant, the authenticator uses an authentication server, which checks the credentials of the supplicant on behalf of the authenticator and then responds to the authenticator, indicating whether or not the supplicant is authorized to access the authenticator’s services. The authentication server can be the following:
A component of the access point. In this case, the AP must be configured with the sets of user credentials corresponding to the supplicants that will be attempting to connect (it is typically not implemented for wireless APs).
A separate entity. In this case, the AP forwards the credentials of the connection attempt to a separate authentication server. Typically, a wireless AP uses the Remote Authentication Dial-In User Service (RADIUS) protocol to send a connection request message to a RADIUS server.
Controlled and Uncontrolled Ports
The authenticator’s port-based access control defines the following different types of logical ports that access the wired LAN via a single physical LAN port:
- Uncontrolled Port
The uncontrolled port allows an uncontrolled exchange between the authenticator (the wireless AP) and other networking devices on the wired network—regardless of any wireless client’s authorization state. Frames sent by the wireless client are never sent using the uncontrolled port.
- Controlled Port
The controlled port allows data to be sent between a wireless client and the wired network only if the wireless client is authorized by 802.1X. Before authentication, the switch is open and no frames are forwarded between the wireless client and the wired network. When the wireless client is successfully authenticated using IEEE 802.1X, the switch is closed, and frames can be sent between the wireless client and nodes on the wired network.
The different types of ports are shown in Figure 2-6.
Figure 2-6. Controlled and uncontrolled ports for IEEE 802.1X.
On an authenticating Ethernet switch, the wired Ethernet client can send Ethernet frames to the wired network as soon as authentication is complete. The switch identifies the traffic of a specific wired Ethernet client using the physical port to which the Ethernet client is connected. Typically, only a single Ethernet client is connected to a physical port on the Ethernet switch.
Because multiple wireless clients contend for access to the same channel and send data using the same channel, an extension to the basic IEEE 802.1X protocol is required to allow a wireless AP to identify the secured traffic of a particular wireless client. The wireless client and wireless AP do this through the mutual determination of a per-client unicast session key. Only authenticated wireless clients have knowledge of their per-client unicast session key. Without a valid unicast session key tied to a successful authentication, a wireless AP discards the traffic sent from the wireless client.
EAP over LAN
To provide a standard authentication mechanism for IEEE 802.1X, the Extensible Authentication Protocol (EAP) was chosen. EAP is a Point-to-Point Protocol (PPP)-based authentication mechanism that was adapted for use on point-to-point LAN segments. EAP messages are normally sent as the payload of PPP frames. To adapt EAP messages to be sent over Ethernet or wireless LAN segments, the IEEE 802.1X standard defines EAP over LAN (EAPOL), a standard encapsulation method for EAP messages.
802.1X and 802.11 Security Issues
The current solutions provided by the use of 802.1X for the security issues that exist with 802.11 are the following:
- Rogue wireless APs.
The best solution for rogue wireless APs is to support a mutual authentication protocol such as EAP-TLS or PEAP-MS-CHAP v2. With EAP-TLS or PEAP-MS-CHAP v2, the wireless client ensures that the wireless AP is a trusted member of the secure wireless authentication infrastructure.
- No per-user identification and authentication.
The adaptation of IEEE 802.1X for wireless connections and its use of EAP enforce a user-level authentication before allowing wireless frames to be forwarded.
- No mechanism for central authentication, authorization, and accounting.
By using RADIUS in conjunction with IEEE 802.1X, RADIUS servers provide authentication, authorization, and accounting services for wireless connections.
- Some implementations derive WEP keys from passwords, resulting in weak WEP keys.
By using IEEE 802.1X and EAP-TLS as the authentication method, public key certificates, not passwords, are used to perform authentication and derive encryption key material. By using IEEE 802.1X and PEAP-MS-CHAP v2, passwords are used to derive encryption keys; however, the password credential exchange is encrypted within a TLS channel.
For more information about EAP-TLS and PEAP-MS-CHAP v2, see Chapter 5, “EAP.” For more information about public key certificates, see Chapter 6, “Certificates and Public Key Infrastructure.”
- No support for extended authentication methods (for example, token cards, certificates/smart cards, one-time passwords, biometrics, and so on).
IEEE 802.1X uses EAP as its authentication protocol. EAP was designed to be extensible for virtually any type of authentication method. For more information, see Chapter 5.
- No support for key management (for example, rekeying global keys and dynamic per-station or per-session key management).
By using IEEE 802.1X and either the EAP-TLS or PEAP-MS-CHAP v2 authentication methods, random unicast session keys are derived for each authentication. Rekeying can be done either by the wireless client, by reauthenticating, or by the wireless AP, which changes encryption keys and sends the new keys to wireless clients using EAPOL messages.