User Authentication with 802.1X

What is your name?

What is your quest?

What is your favorite color?

The Bridgekeeper

Monty Python and the Holy Grail

Security is a common thread linking many of the wireless LAN stories in the news throughout the past several years, and polls repeatedly show that network managers consider security to be a significant obstacle to wider deployment of wireless LANs. Many of the security problems that have prevented stronger acceptance of 802.11 are caused by flaws in the design of static WEP.

Manual WEP attempts to be too many solutions to multiple problems. It was intended to be used both for authentication, by restricting access to those in possession of a key, and confidentiality, by encrypting data as it traversed wireless links. In the final analysis, it does neither particularly well. Both authentication and confidentiality are important issues for wireless LANs, and the subject of a great deal of technology development since the first edition of this book.

This chapter takes on the problem of authentication, which is provided at the link layer through the use of 802.1X.[*] 802.1X has matured a great deal since the first edition of this book, and is increasingly the authentication protocol of choice on wireless LANs.[] Static WEP authenticates machines in possession of a cryptographic key. 802.1X allows network administrators to authenticate users rather than machines, and can be used to ensure that users connect to legitimate, authorized networks rather than credential-stealing impostor networks.

[images/ent/U2020.GIF border=0>] One of my personal yardsticks for the maturity of a specification is the existence of an open source implementation. Open source software frequently serves a valuable role by keeping proprietary implementations honest, and providing a low-cost reality check for users. In the 802.1X world, the xsupplicant and wpa_supplicant projects have taken on this role.

Identifying users instead of machines can lead to more effective network architecture. Rather than grouping users by function and applying security controls to the physical ports in a physical location, the identity of the user and any access rights can be integrated into the network switch fabric, and follow users around the network. Wireless LANs are often the first use of identity-based policy enforcement. It is not uncommon for companies to use the capability on wireless networks, and then find it so useful that it is later integrated into the wired network. No matter where or how users attach to the network, policy follows them around.

One of the complexities in dealing with 802.1X is that it is a framework. It is an IEEE adaptation of the IETF's Extensible Authentication Protocol (EAP), originally specified in RFC 2284 and updated by RFC 3748. EAP is a framework protocol. Rather than specifying how to authenticate users, EAP allows protocol designers to build their own EAP methods, subprotocols that perform the authentication transaction. EAP methods can have different goals, and therefore, often use many different methods for authenticating users depending on the requirements of a particular situation. Before a detailed discussion of how the different methods work, though, a detailed understanding of how EAP works is necessary.

Introduction to Wireless Networking

Overview of 802.11 Networks

11 MAC Fundamentals

11 Framing in Detail

Wired Equivalent Privacy (WEP)

User Authentication with 802.1X

11i: Robust Security Networks, TKIP, and CCMP

Management Operations

Contention-Free Service with the PCF

Physical Layer Overview

The Frequency-Hopping (FH) PHY

The Direct Sequence PHYs: DSSS and HR/DSSS (802.11b)

11a and 802.11j: 5-GHz OFDM PHY

11g: The Extended-Rate PHY (ERP)

A Peek Ahead at 802.11n: MIMO-OFDM

11 Hardware

Using 802.11 on Windows

11 on the Macintosh

Using 802.11 on Linux

Using 802.11 Access Points

Logical Wireless Network Architecture

Security Architecture

Site Planning and Project Management

11 Network Analysis

11 Performance Tuning

Conclusions and Predictions



802.11 Wireless Networks The Definitive Guide
802.11 Wireless Networks: The Definitive Guide, Second Edition
ISBN: 0596100523
EAN: 2147483647
Year: 2003
Pages: 179
Authors: Matthew Gast

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net