IEEE 802.1X

IEEE 802.1X is a standard for port based security. A typical area of use is in switches where one can control each individual physical port. In that way one can require a user to authenticate himself before the port is opened for traffic. There are several solutions, some that can also regulate the number of hosts allowed on a single port in case the user connects a switch/hub of his own.

Extensible Authentication Protocol (EAP - RFC 2284) is an important component of 802.1X. EAP was developed as an improvement of the authentication method provided by the Point to Point Protocol (PPP - RFC 1661). EAP gave PPP a generalized framework for different types of authentication. The 802.1X standard defines the encapsulation of EAP in ethernet packages for use over LAN. This is called EAP over LAN or EAPOL.

This figure shows the different layers of 802.1X where one can choose the type of authentication and network type:

There are three different components of a 802.1X system:

• Supplicant - the client/user
• Authenticator - the link between the client and the Authenticator Server
• Authenticator Server - determine if the Supplicant has given the correct information for authentication. This is usually a RADIUS server.

Most of the intelligence lies at the Supplicant and the Authenticator Server. The Authenticator does mostly forwarding. This makes the system well suited for wireless networks as the access points fill the role as Authenticator and does not require much processing power.

This figure shows how the communication between the Supplicant, Authenticator and the Authenticator Server works. At first the Authenticator block all traffic except EAPOL. When the Authenticator sees that a new Supplicant is present (or the Supplicant says "hello"), it sends a request for identification. This is provided by the Supplicant and the answer is forwarded to the Application Server. This in turn, answers with a challenge (depending on the chosen authentication method) that the Supplicant has to give a satisfactory answer to before the Authenticator opens for all traffic. For wireless networks it is also important that Supplicant knows that the Authenticator Server (and Access Point) is the real thing and not a bogus bad guy who tries to lure the user name and password from the user. This scenario can be avoided by using mutual authentication where the Authenticator Server also has to give the correct information to the Supplicant. Examples of such mutual authentication methods are TLS, TTLS, PEAP and LEAP.

802.1X gives us the tool to reduce or eliminate the danger of Session Hi-Jacking and Man-In-The-Middle but it requires the use of the right type of authentication and mutual authentication. But we are not quite secure yet. For this to be a good solution for wireless networks, one also needs good encryption of the network traffic so that no one can eavesdrop. EAP enables us to use different types of encryption with dynamic key distribution.

IEEE 802.11i is a wireless implementation of 802.1X. This standard is based on the use of 802.1X and a safer encryption method than WEP. In the first phase of this standard the encryption was Temporal Key Integrity Protocol (TKIP) together with an improved Message Integrity Check (MIC) to stop data manipulation. Like WEP the TKIP uses an RC4 cipher. The advantage with TKIP is that it is software and hardware compatible with existing WEP equipment. That means one can get hardware encryption without having to buy new equipment. TKIP gives us a per-user, per-session, per-packet encryption which eliminates the weaknesses of WEP. However, TKIP is not considered 100% proof but so far no one has claimed to have broken it.

A "snapshot" of the work done by IEEE 802.11i was launched as a new wireless security standard by Wi-Fi Alliance. This standard has been given the name Wi-Fi Protected Access (WPA). It uses TKIP encryption and a MIC called "Michael". Having Wi-Fi Alliance promoting this, means availability in an increasing number of Wi-Fi approved products on the marked. WPA2 is a Wi-Fi approved implementation if the full IEEE 802.11i standard.

The second phase of IEEE 802.11i was to replace TKIP and MIC with Counter with Cipher Block Chaining Message Authentication Code (CCMP). CCMP uses the Advanced Encryption Standard (AES) cipher. AES is considered to provide a very secure encryption but the processing overhead will require new hardware to avoid a loss of performance. This applies mostly to access points which has limited processing power. Most PCs are powerful enough to handle it in software.

There are several products on the market that supports 802.1X and/or WPA and even AES encryption. Be sure to choose a product that offers mutual authentication and sufficient encryption. If one wants to stick to standards and be compatible with most users, one should look for products with WPA and/or IEEE 802.11i support. Windows XP now supports WPA and there are several 3rd party products with clients for both Linux and PocketPC. If one chooses to live in a Cisco environment, their LEAP solution could also be an option.

For the user it is a relatively simple task to connect and authenticate. Configuration of the preferred wireless connection and the necessary security data is done through the same application and is not much more complicated than configuring WEP.