IEEE 802.1X

IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

IEEE 802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802[1][2] which is known as "EAP over LAN" or EAPOL.[3] EAPOL was originally designed for IEEE 802.3 Ethernet in 802.1X-2001, but was clarified to suit other IEEE 802 LAN technologies such as IEEE 802.11 wireless and Fiber Distributed Data Interface (ISO 9314-2) in 802.1X-2004.[4] The EAPOL protocol was also modified for use with IEEE 802.1AE (“MACsec”) and IEEE 802.1AR (Secure Device Identity, DevID) in 802.1X-2010[5][6] to support service identification and optional point to point encryption over the local LAN segment.

Contents

Overview

802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN - though the term 'supplicant' is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols.

The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized. An analogy to this is providing a valid passport at an airport before being allowed to pass through security to the terminal. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.[7]

Protocol operation

EAPOL operates at the network layer on top of the data link layer, and in Ethernet II framing protocol has an EtherType value of 0x888E.

Port entities

802.1X-2001 defines two logical port entities for an authenticated port the "controlled port" and the "uncontrolled port". The controlled port is manipulated by the 802.1X PAE (Port Access Entity) to allow (in the authorized state) or prevent (in the unauthorized state) network traffic ingressing and egressing to/from the controlled port. The uncontrolled port is used by the 802.1X PAE to transmit and receive EAPOL frames.

802.1X-2004 defines the equivalent port entities for the supplicant; so a supplicant implementing 802.1X-2004 may prevent higher level protocols being used if it is not content that authentication has successfully completed. This is particularly useful when an EAP method providing Mutual Authentication is used, as the supplicant can prevent data leakage when connected to an unauthorized network.

Typical authentication progression

  1. Initialization On detection of a new supplicant, the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as DHCP and HTTP, is dropped.
  2. Initiation To initiate authentication the authenticator will periodically transmit EAP-Request Identity frames to a special Layer 2 address on the local network segment. The supplicant listens on this address, and on receipt of the EAP-Request Identity frame it responds with an EAP-Response Identity frame containing an identifier for the supplicant such as a User ID. The authenticator then encapsulates this Identity response in a RADIUS Access-Request packet and forwards it on to the authentication server. The supplicant may also initiate or restart authentication by sending an EAPOL-Start frame to the authenticator, which will then reply with an EAP-Request Identity frame.
  3. Negotiation (Technically EAP negotiation) The authentication server sends a reply (encapsulated in a RADIUS Access-Challenge packet) to the authenticator, containing an EAP Request specifying the EAP Method (The type of EAP based authentication it wishes the supplicant to perform). The authenticator encapsulates the EAP Request in an EAPOL frame and transmits it to the supplicant. At this point the supplicant can NAK the requested EAP Method and respond with the EAP Methods it is willing to perform, or start the requested EAP Method.
  4. Authentication If the authentication server and supplicant agree on an EAP Method, EAP Requests and Responses are sent between the supplicant and the authentication server (translated by the authenticator) until the authentication server responds with either an EAP-Success message (encapsulated in a RADIUS Access-Accept packet), or an EAP-Failure message (encapsulated in a RADIUS Access-Reject packet). If authentication is successful, the authenticator sets the port to the "authorized" state and normal traffic is allowed, if it is unsuccessful the port remains in the "unauthorized" state. When the supplicant logs off, it sends an EAPOL-logoff message to the authenticator, the authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.

Implementations

Authenticators

Supplicants

Windows XP, Windows Vista, and Windows 7 support 802.1X for all network connections by default. Windows 2000 has support in the latest service pack (SP4) for wired connections. Windows Mobile 2003 and later operating systems also come with a native 802.1X client.

An open source project known as Open1X produces a client, Xsupplicant. This client currently is available for both Linux and Windows. The main drawbacks of the Open1X client are that it does not provide comprehensible and extensive user documentation and the fact that most Linux vendors do not provide a package for it. The more general wpa_supplicant can be used for 802.11 wireless networks and wired networks. Both support a very wide range of EAP types.[8]

Mac OS X has offered native support since 10.3. The iPhone and iPod Touch support 802.1X as of the release of iOS 2.0.[9]

Avenda Systems provides a supplicant for Windows, Linux, and MAC OS X. They also have a plugin for the Microsoft NAP framework.[10] Avenda also offers health checking agents as well.

Windows

Windows defaults to not responding to 802.1X authentication requests for 20 minutes after a failed authentication. This can cause significant disruption to clients. The block period can be configured using the BlockTime value in the registry. A hotfix is required for Windows XP SP3 and Windows Vista SP2 to make the period configurable.[11]

Wildcard server certificates are not supported by EAPHost, the Windows component that provides EAP support in the operating system.[12] The implication of this is that when using a commercial certification authority, individual certificates must be purchased.

Windows XP

Windows XP has major issues with its handling of IP address changes that result from user-based 802.1X authentication that changes the VLAN and thus subnet of clients.[13] Microsoft has stated that it will not back port the SSO feature from Vista that resolves these issues.[14]

If users are not logging in with roaming profiles, a hotfix must be downloaded and installed if authenticating via PEAP with PEAP-MSCHAPv2.[15]

Windows Vista

Windows Vista based computers that are connected via an IP phone may not authenticate as expected and, as a result, the client can be placed in to the wrong VLAN. A hotfix is available to correct this.[16]

Windows 7

Windows 7 based computers that are connected via an IP phone may not authenticate as expected and, as a result, the client can be placed in to the wrong VLAN. A hotfix is available to correct this.[17]

Windows 7 does not respond to 802.1X authentication requests after initial 802.1X authentication fails. This can cause significant disruption to clients. A hotfix is available to correct this.[18]

Windows PE

For most enterprises deploying and rolling out operating systems remotely it is worth noting that Windows PE does not natively have any support for 802.1X. However, support can be added to WinPE 2.1[19] and WinPE 3.0[20] through hotfixes that are available from Microsoft. Although full documentation is not yet available, preliminary documentation for the use of these hotfixes is available via a Microsoft blog.[21]

Federations

eduroam (the international roaming service), mandates the use of 802.1X authentication when providing network access to guests visiting from other eduroam enabled institutions.[22]

BT (British Telecom, PLC) Employs Identity Federation for authentication in services delivered to a wide variety of industries and governments. [23]

Vulnerabilities in 802.1X-2001 and 802.1X-2004

Shared media

In the summer of 2005, Microsoft's Steve Riley posted an article detailing a serious vulnerability in the 802.1X protocol, involving a man in the middle attack. In summary, the flaw stems from the fact that 802.1X authenticates only at the beginning of the connection, but that after authentication, it's possible for an attacker to use the authenticated port if he has the ability to physically insert himself (perhaps using a workgroup hub) between the authenticated computer and the port. Riley suggests that for wired networks the use of IPsec or a combination of IPsec and 802.1X would be more secure.[24]

EAPOL-Logoff frames transmitted by the 802.1X supplicant are sent in the clear and contain no data derived from the credential exchange that initially authenticated the client.[25] They are therefore trivially easy to spoof on shared media, and can be used as part of a targeted DoS on both wired and wireless LANs. In an EAPOL-Logoff attack a malicious third party with access to the medium the authenticator is attached to, repeatedly sends forged EAPOL-Logoff frames from the target device's MAC Address. The authenticator (believing that the targeted device wishes to end its authentication session) closes the target's authentication session, blocking traffic ingressing from the target, denying it access to the network.

The 802.1X-2010 specification, which began as 802.1af, addresses vulnerabilities in previous 802.1X specifications, by using MACSec IEEE 802.1AE to encrypt data between logical ports (running on top of a physical port) and IEEE 802.1AR (Secure Device Identity / DevID) authenticated devices.[5][6][26][27]

As a stopgap until these enhancements are widely implemented, some vendors have extended the 802.1X-2001 and 802.1X-2004 protocol, allowing multiple concurrent authentication sessions to occur on a single port. Whilst this prevents traffic from devices with unauthenticated MAC-Addresses ingressing on an 802.1X authenticated port, it will not stop a malicious device snooping on traffic from an authenticated device and provides no protection against MAC spoofing, or EAPOL-Logoff attacks.

See also

References

  1. ^ RFC 3748, § 3.3
  2. ^ RFC 3748, § 7.12
  3. ^ IEEE 802.1X-2001, § 7
  4. ^ IEEE 802.1X-2004, § 3.2.2
  5. ^ a b IEEE 802.1X-2010, page iv
  6. ^ a b IEEE 802.1X-2010, § 5
  7. ^ "802.1X Port-Based Authentication Concepts". http://www.wireless-nets.com/resources/downloads/802.1x_C2.html. Retrieved 2008-07-30. 
  8. ^ "eap_testing.txt from wpa_supplicant". http://hostap.epitest.fi/cgi-bin/viewcvs.cgi/*checkout*/hostap/wpa_supplicant/eap_testing.txt. Retrieved 2010-02-10. 
  9. ^ "Apple — iPhone — Enterprise". http://www.apple.com/iphone/enterprise/. Retrieved 2008-07-31. 
  10. ^ "NAP clients for Linux and Macintosh are available". 2008-Dec-16. http://blogs.technet.com/b/nap/archive/2008/12/16/nap-clients-for-linux-and-macintosh-are-available.aspx. 
  11. ^ "A Windows XP-based, Windows Vista-based, or Windows Server 2008-based computer does not respond to 802.1X authentication requests for 20 minutes after a failed authentication". Support.microsoft.com. 2009-09-17. http://support.microsoft.com/kb/957931. Retrieved 2010-03-23. 
  12. ^ "EAPHost in Windows Vista and Longhorn (January 18, 2006)". Technet.microsoft.com. 2007-01-18. http://technet.microsoft.com/en-gb/cc730460.aspx. Retrieved 2010-03-24. 
  13. ^ "Problems when obtaining Group Policy objects, roaming profiles, and logon scripts from a Windows Server 2003-based domain controller". Support.microsoft.com. 2007-09-14. http://support.microsoft.com/?kbid=935638. Retrieved 2010-02-10. 
  14. ^ "802.1X with dynamic VLAN switching — Problems with Roaming Profiles". Forums.technet.microsoft.com. http://forums.technet.microsoft.com/en-US/winserverNAP/thread/f68dc3f0-744a-4d0f-b85a-87f8bc531fd0/. Retrieved 2010-02-10. 
  15. ^ "A Windows XP Service Pack 3-based client computer cannot use the IEEE 802.1X authentication when you use PEAP with PEAP-MSCHAPv2 in a domain". Support.microsoft.com. 2009-04-23. http://support.microsoft.com/kb/969111. Retrieved 2010-03-23. 
  16. ^ "A computer that is connected to an IEEE 802.1X authenticated network through a VOIP phone does not connect to the correct network after you resume it from Hibernate mode or Sleep mode". Support.microsoft.com. 2010-02-08. http://support.microsoft.com/kb/976373. Retrieved 2010-03-23. 
  17. ^ "A computer that is connected to an IEEE 802.1X authenticated network through a VOIP phone does not connect to the correct network after you resume it from Hibernate mode or Sleep mode". Support.microsoft.com. 2010-02-08. http://support.microsoft.com/kb/976373. Retrieved 2010-03-23. 
  18. ^ "Windows 7 or Windows Server 2008 R2 does not respond to 802.1X authentication requests after the authentication fails". Support.microsoft.com. 2010-03-08. http://support.microsoft.com/kb/980295. Retrieved 2010-03-23. 
  19. ^ "Windows PE 2.1 does not support the IEEE 802.1X authentication protocol". Support.microsoft.com. 2009-12-08. http://support.microsoft.com/kb/975483. Retrieved 2010-02-10. 
  20. ^ "The IEEE 802.1X authentication protocol is not supported in Windows Preinstall Environment (PE) 3.0". Support.microsoft.com. 2009-12-08. http://support.microsoft.com/kb/972831. Retrieved 2010-02-10. 
  21. ^ "Adding Support for 802.1X to WinPE". Blogs.technet.com. 2010-03-02. http://blogs.technet.com/deploymentguys/archive/2010/03/02/adding-support-for-802-1x-to-winpe.aspx. Retrieved 2010-03-03. 
  22. ^ "Eduroam — About". http://www.eduroam.org/index.php?p=about. Retrieved 2009-11-29. 
  23. ^ "BT Identity and Access Management". http://www.ca.com/files/SuccessStories/bt_ss_165270.pdf. Retrieved 2010-08-17. 
  24. ^ "Steve Riley's article on the 802.1X vulnerabilities". Microsoft.com. 2005-08-09. http://www.microsoft.com/technet/community/columns/secmgmt/sm0805.mspx. Retrieved 2010-02-10. 
  25. ^ IEEE 802.1X-2001, § 7.1
  26. ^ "2 February 2010 Early Consideration Approvals". Standards.ieee.org. http://standards.ieee.org/board/rev/110early.html. Retrieved 2010-02-10. 
  27. ^ "IEEE 802.1: 802.1X-2010 - Revision of 802.1X-2004". Ieee802.org. 2010-01-21. http://www.ieee802.org/1/pages/802.1x-2010.html. Retrieved 2010-02-10. 

External links