OverviewMan using phone

IEEE 802.1X is a standard protocol for port-based Network Access Control and it provides authentication to devices attached to a LAN port. It establishes a point-to-point connection or prevents access from that port if authentication fails.

It is not only valuable for authenticating and controlling user traffic to a protected network, but also effective for dynamically varying encryption keys. It attaches the Extensible Authentication Protocol (EAP) to both wired and wireless LAN networks for allowing multiple authentication methods like token cards, one-time passwords, certificates, public key authentication etc.

IEEE 802.1x addresses IEEE 802.11 security issues like:

  • User Identification & Strong authentication
  • Dynamic key derivation
  • Mutual authentication
  • Per-packet authentication
  • Dictionary attack precautions

The main purpose of IEEE 802.1x is to accommodate:

  • Network Control Right at the Port Level
  • Authentication, Authorization and Accounting
  • Public Network Security
  • Distribution of Dynamic Encryption Keys

The main components of IEEE 802.1x are given below.

  • Supplicant – It is the client that accesses the services of the authenticator’s system. It answers the requests from the authenticator for establishing the supplicant’s identity.
  • Port – It is a device that is attached to LAN through a switch or wireless access point.
  • Authenticator – It requires the supplicant to provide appropriate authentication before allowing the access to the services available. It communicates with the supplicant and passes the information received from the supplicant to a suitable authentication server for the verification of user credentials. Its functions are independent of the authentication method used.
  • Extensible Authentication Protocol (EAP) – It is an authentication tool that carries out the authentication exchange between the supplicant and the authentication server.
  • Extensible Authentication Protocol Over LAN (EAPOL) – It captures the EAP messages for LAN MAC service. It also performs functions like start, logoff, key distribution etc.
  • Remote Access Dial In User Service (RADIUS) Server – It manages the database of users, provides authentication and authorization, and accounting information of the users.

EAP Types

IEEE 802.1X doesn’t provide the actual authentication mechanisms. When utilizing 802.1X, an EAP type must be selected for defining how the authentication should takes place.

Some of the popular EAP types are given below.

EAP types table
How IEEE 802.1X operates?

1.The client sends an EAP-start message and a series of message is exchanged to authenticate the client.
2.The access point sends an EAP-request identity message.
3.The client sends an EAP-response packet that has the identity to the authentication server.
4.The authentication server uses a specific authentication algorithm to verify the client’s identity.
5.The authentication server sends either an accept message or a reject message to the access point.
6.The access point sends an EAP-success packet or reject packet to the client.
7.When the authentication server accepts the client, the access point transits the client’s port to an authorized state and forwards additional traffic.

Wireless network diagram

For multiple Virtual LANS (VLANS), roaming users can be assigned to the same VLAN irrespective of the connection to the network.

Guest VLAN – Whenever a user tries to connect without an 802.1x client, he will be migrated to a Guest VLAN with limited services.

IEEE 802.1X Authentication in IEEE 802.11 (WLAN with IPV6 Nodes)

IEEE 802.1X authentication occurs after 802.11 associations. Client and access point will have an Ethernet connection after association. All non-EAPOL traffic from client is filtered prior to authentication. If authentication is successful, the access point removes the filter. 802.1X messages are sent to destination MAC address.

It is possible to create an 802.1x authentication environment in an IPv6 environment, based on RADIUS. Many vendors like Cisco, HP, and Funk have implemented RADIUS based Authentication, Authorization and Accounting (AAA) system for authenticating server to authenticate mobile station. The mobile station, access point, and RADIUS server are IPv6 nodes and use EAP for authentication method.

The RADIUS server is used to process IEEE 802.1x mobile station access request to IEEE 802.11. The process flow is given below.

RADIUS server process diagram

The RADIUS server identifies the mobile station by Network Access Identifier (NAI) and authenticates its credentials. After authentication, it generates the encryption key for that mobile station and access point dynamically and distributes the same to the mobile station and the access point. Using this Wired Equivalent Protocol (WEP) key, encryption and decryption of messages take place. Integrity and confidentiality between mobile station and access point is accomplished through the WEP encryption and decryption between them.

Benefits of IEEE 802.1X

  • Leverages existing standards EAP and RADIUS
  • Enables interoperable user identification
  • Authentication based on Network Access Identifier and credentials
  • Centralized authentication, authorization, and accounting
  • Scalable through EAP types
  • Dynamic derivation of WEP unicast session keys
  • Renewal of WEP unicast session keys
  • Encryption of all data, using dynamic keys
  • Supports password authentication and One-Time Passwords (OTP)

Comparison table 802.1X & IPsec