When devics on enterprise LANs need to connect to other devices, they need a standard method for identifying each other to ensure they are communicating with the device they want to, and that’s what 802.1x does. This article tells where it came from and how it works.
IEEE 802.1X is a standard that defines how to provide authentication for devices that connect with other devices on local area networks (LANs).
It provides a mechanism by which network switches and access points can hand off authentication duties to a specialized authentication server, like a RADIUS server, so that device authentication on a network can be managed and updated centrally, rather than distributed across multiple pieces of networking hardware.
Although the standard’s name might remind you of the IEEE 802.11 standards that make up Wi-Fi, 802.1X dates from the old day of all-wired networking and today is used to secure both wired and wireless networks. Because the protocol relies on a centralized authentication server, it’s generally found in the world of enterprise LANs rather than small home networks.
PPP, EAP, and EAPOL
Old-school internet users remember point-to-point protocol (PPP) as how they got online in the days of dialup modems, although the protocol also had use as a tunneling method over DSL and as part of some VPNs. One piece of PPP defined a username/password-based authentication mechanism. This was fine for home users, but enterprises generally required something more robust.
Extensible authentication protocol (EAP) was designed to meet those needs. EAP sat inside of PPP’s authentication protocol and provided a generalized framework for several different authentication methods. EAP was supposed to head off proprietary authentication systems and let everything from passwords to challenge-response tokens and public-key infrastructure certificates all work smoothly with PPP.
With standardized EAP, interoperability and compatibility of authentication methods became simpler. For example, when you dialed into a remote-access server (RAS) that used EAP for security, the RAS didn’t need to know any of the details about the authentication system; it just had to coordinate things between you and the authentication server. By supporting EAP authentication, the RAS server got out of the business of acting as middleman. It just packaged and repackaged EAP packets to hand off to a RADIUS server (or some other server supported by EAP), which did the actual authentication.
This brings us to IEEE 802.1X, which includes a standard called EAP encapsulation over LANs (EAPOL). As the name implies, this is a standard for passing EAP over a wired or wireless local area network. With 802.1X, you package EAP messages in Ethernet frames and don’t use PPP at all. It’s authentication and nothing more. 802.1X is still widely used today, while PPP is largely obsolete. You can also use 802.1X with protocols other than TCP/IP.
How 802.1X authentication works
To understand 802.1x, you need to understand three terms:
- Supplicant: The user or client that wants to be authenticated
- Authentication server: The actual server doing the authentication, typically a RADIUS server
- Authenticator: The device in between the supplicant and the authentication server, such as a wireless access point
One of the key benefits of 802.1X is that the authenticator can be simple and dumb—the brains only have to be in the supplicant and the authentication server. This makes 802.1X ideal for wireless access points, which typically have little by way of memory and processing power.
EAPOL is defined for Ethernet-like LANs, including 802.11 wireless, as well as token ring LANs such as FDDI. EAPOL is not particularly sophisticated. There are a number of modes of operation, but the most common authentication sequence would look something like this:
- The authenticator sends an “EAP-Request/Identity” packet to the supplicant as soon as it detects that the link is active (e.g., as the supplicant system associates with the access point).
- The supplicant sends an “EAP-Response/Identity” packet to the authenticator, which passes it on to the authentication (RADIUS) server.
- The authentication server sends back a challenge to the authenticator, such as with a token password system. The authenticator unpacks this from IP and repackages it into EAPOL and sends it to the supplicant. Different authentication methods will vary this message and the total number of messages. EAP supports client-only authentication and strong mutual authentication; only strong mutual authentication is considered appropriate for wireless networks.
- The supplicant responds to the challenge via the authenticator, which passes the response on to the authentication server.
- If the supplicant provides proper identity, the authentication server responds with a success message, which is passed to the supplicant. The authenticator now allows access to the LAN, though this can be restricted, based on attributes that come back from the authentication server. For example, the authenticator might switch the supplicant to a particular virtual LAN or invoke a set of firewall rules.
802.1X and wireless security
The Wired Equivalent Privacy (WEP) protocol was the security protocol widely used in the early days of Wi-Fi, but it was badly broken from the beginning and was never well regarded by enterprise security and networking pros.
In response to the WEP fiasco, many wireless LAN vendors latched onto IEEE 802.1X standard to patch up the holes. For example, one of the biggest problems with WEP was the long life of the cryptographic keys it used, which were shared among many users and were well known. With 802.1X, each station could have a unique WEP key for every session. The authenticator (the wireless access point, in this case) could also choose to change the WEP key frequently, such as once every 10 minutes or every 1,000 frames. If you see 802.1X on a list of encryption types available for your wireless network, that’s probably referring to legacy support for this type of arrangement.
However, WEP has long been abandoned by the industry, and today almost all networking equipment uses Wi-Fi Protected Access, or WPA, with WPA3 being the latest version. It includes WPA3-Personal, which provides more individualized encryption, and WPA3-Enterprise, which boosts cryptographic strength for networks transmitting sensitive data.
A major improvement with WPA3-Enterprise is the requirement that the client must ensure it is actually communicating with the authentication server, not a rogue server, before sending its login credentials. In WPA2-Enteprise, that verification was optional.
MAB for bypassing 802.1X
One final note: some client devices, such as wireless printers, don’t have the capability of acting as an 802.1X supplicant, but you might want to allow them access to your 802.1X-secured network anyway. Some network equipment vendors allow you to do this by means of what’s called MAC authentication by pass (MAB). With MAB, your authentication server can authenticate a client device by means of its MAC address rather than via the EAPOL authentication process outlined above.
There are two important things to keep in mind. One is that MAB is not a standard; it’s implemented differently by different networking vendors, and some vendors don’t support it at all. The other is that a device that accesses your network via MAB is bypassing important layers of security. So make to limit as much as possible the access that such devices have to networks and services.