User Authentication with 802.1X

What is your name?

What is your quest?

What is your favorite color?

The Bridgekeeper

Monty Python and the Holy Grail

Security is a common thread linking many of the wireless LAN stories in the news throughout the past several years, and polls repeatedly show that network managers consider security to be a significant obstacle to wider deployment of wireless LANs. Many of the security problems that have prevented stronger acceptance of 802.11 are caused by flaws in the design of static WEP.

Manual WEP attempts to be too many solutions to multiple problems. It was intended to be used both for authentication, by restricting access to those in possession of a key, and confidentiality, by encrypting data as it traversed wireless links. In the final analysis, it does neither particularly well. Both authentication and confidentiality are important issues for wireless LANs, and the subject of a great deal of technology development since the first edition of this book.

This chapter takes on the problem of authentication, which is provided at the link layer through the use of 802.1X.[*] 802.1X has matured a great deal since the first edition of this book, and is increasingly the authentication protocol of choice on wireless LANs.[] Static WEP authenticates machines in possession of a cryptographic key. 802.1X allows network administrators to authenticate users rather than machines, and can be used to ensure that users connect to legitimate, authorized networks rather than credential-stealing impostor networks.

[images/ent/U2020.GIF border=0>] One of my personal yardsticks for the maturity of a specification is the existence of an open source implementation. Open source software frequently serves a valuable role by keeping proprietary implementations honest, and providing a low-cost reality check for users. In the 802.1X world, the xsupplicant and wpa_supplicant projects have taken on this role.

Identifying users instead of machines can lead to more effective network architecture. Rather than grouping users by function and applying security controls to the physical ports in a physical location, the identity of the user and any access rights can be integrated into the network switch fabric, and follow users around the network. Wireless LANs are often the first use of identity-based policy enforcement. It is not uncommon for companies to use the capability on wireless networks, and then find it so useful that it is later integrated into the wired network. No matter where or how users attach to the network, policy follows them around.

One of the complexities in dealing with 802.1X is that it is a framework. It is an IEEE adaptation of the IETF's Extensible Authentication Protocol (EAP), originally specified in RFC 2284 and updated by RFC 3748. EAP is a framework protocol. Rather than specifying how to authenticate users, EAP allows protocol designers to build their own EAP methods, subprotocols that perform the authentication transaction. EAP methods can have different goals, and therefore, often use many different methods for authenticating users depending on the requirements of a particular situation. Before a detailed discussion of how the different methods work, though, a detailed understanding of how EAP works is necessary.