- 802.1X provides authentication of devices connected to a wireless access point or wired network switch port. It uses EAP (Extensible Authentication Protocol) for authentication.
- EAP sits inside PPP and provides a generalized framework for different authentication methods, allowing compatibility across methods. It transports authentication information between a supplicant and authentication server.
- 802.1X defines the encapsulation of EAP within EAPOL frames to allow communication between the supplicant and authenticator at layer 2. The authenticator passes EAP packets to a backend RADIUS server for authentication.
2. • 802.1x works at Layer 2 to authentication and
authorize devices on wireless access points.
3. IEEE 802.1x
• It is used for certain closed wireless access
points.
4. 802.1x Authentication
• A wireless node must be authenticated before it can gain access to other LAN
resources
5. • It does assume a point-to-point model.
• Then PPP can serve for this point-to-point model.
802.1x Authentication
6. What is PPP and what does it have to do with wireless
security?
• Most people are familiar with PPP, the point-to-point protocol.
It’s most commonly used for dial-up Internet access.
• PPP is also used by some ISPs for DSL and cable modem
authentication, in the form of PPPoE (PPP over Ethernet).
7. What is PPP and what does it have to do with wireless
security?
• By any measure, PPP is a very successful protocol.
• In practice, PPP has gone far beyond its original use as a dial-up
access method as it's now used all over the Internet.
8. What is PPP and what does it have to do with wireless
security?
• Although PPP has many parts that make it useful in different
networking environments, the part that we care about in this
demonstration is the authentication piece.
9. What is PPP and what does it have to do with wireless
security?
• Before anything at Layer 3 (like IP) is established, PPP goes
through an authentication phase at Layer 2.
• With dial-up Internet access, that’s the username and
password.
10. What is PPP and what does it have to do with wireless
security?
• PPP authentication is used to identify the user at the other
end of the PPP line before giving them access.
• By authenticating at layer 2, you are independent of
upperlayer protocol (such as IP).
11. What is PPP and what does it have to do with wireless
security?
• And you can make decisions on how to handle layer 3
protocols, such as IP, based on the authentication
information.
• For example, depending on what authentication information
you provide, you might get a particular IP address.
13. 802.1x Terminology
• 802.1x does introduce some terminology that we need to get
used to.
• An authenticator helps authenticate what you connect to it.
It does this via the authentication server.
• The supplicant is what is being authenticated. See the
following diagram if that's unclear.
15. 802.1x Terminology
• The Port Access Entity (PAE) is what executes the
algorithms and follows the protocol(s).
• Each of the three items above has a PAE, but the
PAE software does do different things on each of
the three.
16. How did EAP get into the picture?
• As PPP use grew, people quickly found its limitations,
both in flexibility and in level of security, in the
authentication methods, such as PAP.
17. How did EAP get into the picture?
• Most corporate networks want to do more than simple
usernames and passwords for secure access.
• So a new authentication protocol, called the Extensible
Authentication Protocol (EAP) was designed.
19. EAP
• Extensible Authentication Protocol is a universal
authentication framework frequently used in
wireless networks and Point-to-Point connections.
• It is defined by RFC 3748.
20. EAP and WPA
• WPA and WPA2 standard has officially adopted five
EAP types as its official authentication mechanisms.
21. • EAP is a way for a supplicant to authenticate,
usually against a back-end RADIUS server.
• EAP comes from the dial access world and PPP.
EAP and WPA
22. • There is a RFC for how RADIUS should support
EAP between authenticator and authentication
server, RFC 3579.
• EAP was first defined in the IETF RFC 2284.
EAP and WPA
23. • The EAP TLS variant is defined in RFC 2716.
• The following figure shows the EAP format.
• Note that when 802.1x is the transport, all this fits into the
802.1x payload field, with EAPOL packet type set to 0
(EAP packet).
EAP and WPA
25. • EAP is a way for a supplicant to authenticate, usually
against a back-end RADIUS server.
• EAP comes from the dial access world and PPP.
EAP and WPA
26. • There is an RFC for how RADIUS should support
EAP between authenticator and authentication
server, RFC 3579.
EAP and WPA
27. • EAP was first defined in the IETF RFC 2284.
• The EAP TLS variant is defined in RFC 2716.
EAP and WPA
28. • The following figure shows the EAP format.
• Note that when 802.1x is the transport, all this fits
into the 802.1x payload field, with EAPOL packet
type set to 0 (EAP packet).
EAP and WPA
29. EAP format
• The code field indicates the type of EAP packet as
follows:
(1) Request, (2) Response,
(3) Success, (4) Failure
30. • The ID is one byte for matching requests and responses.
• Length is the byte count including the code, ID, length and
data fields.
• The data field format varies depending on the code field.
EAP format
31. • Types 3 and 4, Success and Failure are easy to
describe: they have no data field (0 bytes).
• Types 1 and 2 share a format. It boils down to a type
code (one byte) then the data for that type.
EAP format
32. • Here's what that makes the EAP packet look like:
EAP format
33. • The original RFC defines several types of EAP
authentication. They are:
1 Identity
2 Notification
3 Nak (response only)
4 MD5-Challenge
5 One-Time Password (OTP) (RFC 1938)
6 Generic Token Card
13 TLS (RFC 2716 adds TLS)
EAP format
34. • The RFC's contain some great diagrams showing the
sequence of messages for the above EAP variants.
EAP format
35. • The IEEE 802.1x standard goes through all this for
EAP-OTP in a couple of different scenarios
(supplicant initiated exchange, authenticator initiated,
etc.).
EAP format
36. How did EAP get into the picture?
• EAP sits inside PPP’s authentication protocol.
• It provides a generalized framework for all sorts of
authentication methods.
37. EAP Message
• Exactly one EAP packet is encapsulated in the
Information field of a PPP Data Link Layer frame and
building a PPP EAP Message.
• Where the protocol field indicates type hex C227 (PPP
EAP).
38. How did EAP get into the picture?
• By pulling EAP out (destacando) into a separate protocol, it
then has the option of re-use in other environments - like
802.1X.
39. How did EAP get into the picture?
• EAP is supposed to head off (desviar) proprietary
authentication systems and let everything from passwords to
challenge-response tokens and PKI certificates work
smoothly.
40. How did EAP get into the picture?
• With a standardized EAP, interoperability and compatibility
across authentication methods becomes simpler.
41. How did EAP get into the picture?
• Only the client and the authentication server have to be
coordinated.
• By supporting EAP authentication, a RAS server (in wireless
this is the AP) gets out of the business of actively participating in
the authentication dialog ...
42. How did EAP get into the picture?
• For example, when you dial a remote access server (RAS)
and use EAP as part of your PPP connection, the RAS
doesn’t need to know any of the details about your
authentication system.
43. How did EAP get into the picture?
• ... ... and just re-packages EAP packets to hand off to a
RADIUS server to make the actual authentication decision.
45. • The 802.1x access control works on unaggregated
physical ports at OSI Layer 2. It allows or denies
access.
• The access control it exerts can govern bidirectional
or inbound traffic.
How 802.1x Works
46. • On LAN media, 802.1x needs some way to
communicate between the Supplicant and the
Authenticator. This happens directly at Layer 2.
• The protocol used is EAPOL, which stands for EAP
encapsulation over LANs.
How 802.1x Works
47. • EAP is a separate protocol (or family of protocols)
for authentication.
• Let's take a look at the EAPOL frame format. It is
shown in the following figure:
How 802.1x Works
49. • The packet type is as follows:
• 0 EAP Packet
1 EAPOL Start
2 EAPOL Logoff
3 EAPOL Key
4 EAPOL Encapsulated Alert
The EAPOL frame format
50. • The key packet type is used for EAP variants that
allow an encryption key.
• The packet body is then a Key Descriptor, with
specified fields. We'll skip the details.
The EAPOL frame format
51. • The Alert EAP packet type allows for things (like
SNMP) to be sent through a port where the
authentication resulted in an unauthorized state.
The EAPOL frame format
52. • The standard notes that use in a shared environment
is highly insecure unless the supplicant to
authenticator traffic is a secure association, i.e.
encrypted.
The EAPOL frame format
53. • The authenticator then uses a standard protocol,
usually RADIUS, to relay information to and from
the authentication server.
The EAPOL frame format
54. • The following figure shows how the protocol works.
• It basically provides a L2 wrapper to transport EAP
information between supplicant and authenticator.
The EAPOL frame format
55.
56. • Note that the EAPOL-Start message is only used
if the supplicant initiates the exchange.
• The authenticator can notice link status has changed,
and just jump right in with the EAP exchange.
The EAPOL frame format
57. • It may seem a little silly, having a big diagram with
only a couple of arrows in it. I hope that this
emphasizes the key point here.
The EAPOL frame format
58. • The double arrow goes further since we'll see that the
authenticator re-encapsulates the EAP information,
typically within RADIUS, and passes it through to
the authentication server.
The EAPOL frame format
59. IEEE 802.1
• IEEE 802.1 is a working group of the IEEE 802 project of
the IEEE. It is concerned with:
• 802 LAN/MAN architecture
• internetworking among 802 LANs, MANs and other wide area networks,
• 802 Link Security (This is not wireless),
• 802 overall network management, and
• protocol layers above the MAC & LLC layers.
60. What Is 802.1x?
• IEEE 802.1x is an IEEE standard for port-based Network Access
Control which extends the 802.1.
• it is part of the IEEE 802.1 group of protocols.
• It provides authentication to devices attached to a LAN port,
establishing a point-to-point connection or preventing access from
that port if authentication fails.
61. • The standard 802.1x is an IEEE standard for Port-
Based Network Access Control.
What Is 802.1x?
63. • From the introduction to the 802.1x standard
document, with some omissions:
What Is 802.1x?
64. • "Port-based network access control makes use of
the physical access characteristics of IEEE 802
LAN infrastructures in order to provide a means of
authenticating and authorizing devices attached to
a LAN port [...],
What Is 802.1x?
65. • and of preventing access to that port in cases in
which the authentication and authorization process
fails. [...]
What Is 802.1x?
66. • Examples of ports in which the use of
authentication can be desirable include
the Ports of MAC Bridges, [...] ,
• and associations between stations and access
points in IEEE 802.11 Wireless LANs."
What Is 802.1x?
67. • That is, 802.1x and EAPOL just exist as a way to
transport EAP information between Supplicant
and Authenticator.
What Is 802.1x?
69. • The RFC's contain some diagrams showing the
sequence of messages for the above EAP variants.
How This All Works
70. • The IEEE 802.1x standard goes through all this for
EAP-OTP in a couple of different scenarios
(supplicant initiated exchange, authenticator initiated,
etc.).
How This All Works
71. • This fills in the big EAP arrow in the above diagram
to show the full sequence of messages.
• The following figure shows my version of the
sequence of messages for EAP-OTP (One Time
Password).
How This All Works
74. EAP
• Extensible Authentication Protocol is a universal
authentication framework frequently used in wireless
networks and Point-to-Point connections.
• It is defined by RFC 3748.
75. • Although the EAP protocol is not limited to wireless
LANs and can be used for wired LAN
authentication, it is most often used in wireless
LANs.
EAP
76. WPA
• WPA and WPA2 standard has officially adopted five
EAP types as its official authentication mechanisms.
77. • EAP is an authentication framework, not a specific
authentication mechanism. It only defines message
formats.
WPA
78. • The EAP provides some common functions and a
negotiation of the desired authentication mechanism.
• Such mechanisms are called EAP authentication
methods.
WPA
79. • Each protocol that uses EAP defines a way to
encapsulate that protocol's messages within the EAP
messages.
• In the case of 802.1x, this encapsulation is called
EAPOL, "EAP over LANs".
WPA
80. Level 3: Medium to large Enterprise
WLAN security
• EAP-TLS could be the recommended authentication
method for this security level.
• EAP-TLS have the same server and client side
digital certificate requirements.
81. • To implement EAP-TLS, not only does the server
require a Digital Certificate but the users as well.
Level 3: Medium to large Enterprise
WLAN security
82. • This means you will need Certificate Authority to
issue a proper Server Digital Certificate on a pair
of dedicated RADIUS servers and not just a Self
Signed Certificate on a makeshift RADIUS Server.
Level 3: Medium to large Enterprise
WLAN security
83. • For this security level, the proper PKI best practices
should be followed.
• There should be at least a single dedicated PKI Root
Certificate Authority, but preferably it should at least
be a 2 or 3 tier PKI design.
Level 3: Medium to large Enterprise
WLAN security
84. • A two tier chain for a medium Enterprise
organization would have an offline Root Certificate
Authority and an online Issuing Certificate
Authority.
Level 3: Medium to large Enterprise
WLAN security
85. • The reason for this is that if a Certificate Authority
is ever compromised, you can revoke it and create a
new one ...
• ... from the higher offline Certificate Authorities
without having to start your PKI deployment from
scratch.
Level 3: Medium to large Enterprise
WLAN security
86. • Building a PKI from scratch because of a
compromised Certificate Authority would be
completely unacceptable in a large scale environment.
Level 3: Medium to large Enterprise
WLAN security
87. • A large Enterprise should implement the three tier
design with offline Root Certificate Authority,
offline subordinate Certificate Authority, and online
Issuing Certificate Authority.
Level 3: Medium to large Enterprise
WLAN security
88. • Methods defined in IETF RFCs include:
• EAP-MD5,
• EAP-OTP,
• EAP-GTC,
• EAP-TLS or EAP-TTLS,
• EAP-IKEv2,
• EAP-SIM,
• EAP-AKA
Level 3: Medium to large Enterprise
WLAN security
89. • Some commonly used methods capable of operating
in wireless networks include:
• EAP-TLS,
• EAP-TTLS
• Requirements for EAP methods used in wireless
LAN authentication are described in RFC 4017.
Level 3: Medium to large Enterprise
WLAN security