802.1X

What Is 802.1X?

802.1X is a port-based network access control protocol designed to enhance network security. It provides a framework for authenticating devices attempting to connect to a network, ensuring that only authorized users can access network resources.

Background of 802.1X

In early IEEE 802 LAN protocols, any user with access to a control device within the LAN could reach network resources, posing significant security risks. To address these issues, particularly in wireless LANs (WLANs), the IEEE 802 committee developed the 802.1X protocol to manage network access rights effectively. This protocol prevents unauthorized users from transmitting or receiving data, and due to its versatility, it has also been widely adopted in wired LANs.

Unlike other access control mechanisms, 802.1X enforces user-level access control by managing access ports. It defines two logical port entities for a physical access port: the controlled port and the uncontrolled port, which separate services from authentication. The uncontrolled port handles the transmission of Extensible Authentication Protocol over LAN (EAPoL) frames, ensuring that the client can always send and receive authentication packets. The controlled port transmits service packets when authorized but denies all packets from clients when unauthorized.

In essence, 802.1X authentication determines whether a user's access port can transmit services. Successful authentication authorizes the port, allowing all client packets to pass through. If authentication fails, the port remains unauthorized, permitting only EAPoL frames.

When Is 802.1X Used?

802.1X authentication is typically employed in newly established networks, networks with a large user base, or those with stringent security requirements. The advantages of 802.1X include:

• Layer 2 Protocol: As a Layer 2 protocol, 802.1X does not require Layer 3 processing, which means it does not impose high performance demands on access devices, thereby reducing network construction costs.

• Service Security: Ports in an unauthorized state do not exchange service packets with clients, ensuring that services remain secure.

For instance, in an enterprise network, where employees' terminals need secure access to the office network, 802.1X authentication is highly recommended.

However, 802.1X requires client software to be installed on terminals, making it unsuitable for public places like airports and business centers, where user mobility is high, terminal types are varied, and security requirements are relatively low. In such scenarios, Portal authentication is preferred. Additionally, for devices like printers and fax machines that do not support 802.1X client software or username and password input, MAC address authentication is used instead.

How Does 802.1X Work?

802.1X authentication operates using a standard client/server architecture with three main components: the client, access device, and authentication server.

1. Client: Typically a user terminal that must support the Extensible Authentication Protocol over LAN (EAPoL) and have 802.1X client software installed. The user initiates 802.1X authentication via this software.

2. Access Device: Usually a network device such as a switch that supports the 802.1X protocol. It provides either a physical or logical port for the client to access the LAN.

3. Authentication Server: Responsible for authentication, authorization, and accounting (AAA) of users. A Remote Authentication Dial-In User Service (RADIUS) server is commonly used for this purpose.

802.1X Authentication Process

The process involves several steps, detailed as follows:

1. Authentication Request Initiation: The client initiates an authentication request to the connected access device.

2. Information Exchange: The access device exchanges information with the client and sends the user's credentials to the authentication server.

3. Authentication Decision: The authentication server validates the credentials. If successful, the access device authorizes the interface, allowing the user to access the network. If unsuccessful, the access request is denied.

EAP Packet Exchange

The 802.1X system relies on EAP for exchanging authentication information, which can run over various lower layers, including the data link layer and upper-layer protocols such as UDP and TCP. This flexibility is a significant advantage of 802.1X authentication.

1. Client and Access Device: Exchange EAP packets encapsulated in EAPoL format.

2. Access Device and Authentication Server: Exchange information either in EAP termination mode or EAP relay mode.

EAP Termination vs. EAP Relay Mode

EAP Termination Mode:

• The access device parses the EAP packet to extract user authentication information and then encapsulates it into a RADIUS packet for the RADIUS server.

• Suitable for servers supporting PAP and CHAP authentication.

• Limited support for EAP authentication methods (except MD5-Challenge).

• Requires high processing capability on the access device.

EAP Relay Mode (EAPoR):

• The access device directly encapsulates the received EAP packet into a RADIUS packet and sends it to the RADIUS server.

• Simplifies access device processing.

• Supports various EAP authentication methods.

• Requires the authentication server to support EAP and have high processing capability.

Authentication Process in EAP Relay Mode

The process involves the following steps:

1. Triggering Authentication: The client sends an EAPoL-Start packet to initiate 802.1X authentication.

2. Identity Request: The access device requests the client's identity information through an EAP request packet.

3. Identity Response: The client responds with an EAP packet carrying the user identity information.

4. Forwarding to Server: The access device encapsulates the EAP packet into a RADIUS packet and forwards it to the authentication server.

5. EAP Method Negotiation: The RADIUS server negotiates the EAP authentication method with the client.

6. EAP Information Exchange: The client and server exchange EAP packets to finalize the authentication method.

Authentication and Authorization:

• Upon successful EAP method negotiation, the client and server establish a TLS tunnel using EAP-PEAP.

• The client is authenticated through the tunnel, and the RADIUS server informs the access device of the successful authentication.

• Port Authorization: The access device authorizes the port and notifies the client of the successful authentication, allowing network access.