A thorough understanding of 802.1X and its role in our everyday network communications is a critical building block in your knowledge set for managing your network effectively. Let’s talk about some advantages and issues surrounding 802.1X, as well as a bit of history on how the protocol got to where it is today.
While the foundation of network engineering is connectivity and reliability, security of the network being built and managed cannot be excluded. That was the case years ago: as early networks were deployed, there was no good set of security protocols and rules to go along with new, reliable connections. The were several reasons for the oversight — dedicated private circuits provided a sense of security, and wireless LANs were still not a common technology. This changed quickly and as a result, different network security standards emerged from the multiple working groups.
What is the 802.1X authentication standard?
802.1X is one member of the larger 802.1 IEEE standard family of Ethernet standards that we’re familiar with today. 802.1X defines the workings of port-based Network Access Control (PNAC). It’s a standard for defining authentication for clients that need to attach to the network through a wired switch or a wireless access point.
The purpose of this standard is to identify a reliable and universal way for clients (end devices) to establish their identity and their right to be on a network. This is done through authentication to a network device using a central AAA (authentication, authorization and accounting) security server or RADIUS server to support the authentication.
Identifying the need for 802.1X authentication
Much like the history of internet protocols, the history of 802.1X is a rolling collection of trials and errors. Some things worked, and some things didn’t. Along the way, changes and improvements to the standard were made to accommodate key requirements:
Authentication. The primary purpose of 802.1X is to define a standard framework to connect securely to dedicated wired networks. Understanding and validating the identity of a client is an important part of securing that connection.
Authorization. Networks can be complicated, and not every authenticated client should have the same level of access. Authorization, or assigning the right level of access to the right client, is a critical component of network access.
Accounting. A key component in network security is accounting logging access: recording and understanding who has accessed a network, and what they accessed while inside.
Port level control. While authorization enables clients to have the right level of access, there is often a need to give different clients varying levels of access and restriction based on how or where they’re connecting.
Encryption. Support for encrypting network communications to ensure only the authenticated client and the intended recipient are able to access that data is security table stakes.
All of these requirements were defined over the years to give us a more robust and more complete implementation of 802.1X, which we see today.
Wired or wireless?
Today, 802.1X is mostly regarded as a wireless standard developed by the IEEE working group for providing security for wireless networks. But in reality, it was originally developed for wired networks and adapted to wireless networks. And this made a good fit.
When IEEE was developing 802.1X, the vast majority of network nodes were still hardwired to vast farms of multi protocol switches. Thousands of miles of wires were run to make sure every device had a dedicated Ethernet port. But as devices evolved to be more mobile, and networks started to move to public and semi-private environments, hardwired devices gave way to mobile devices in exponentially larger numbers.
Security for these devices also migrated to wireless: the need was much more urgent. As a result, 802.1X became much more robust and standardized to be used across wired and wireless networks.
Components of 802.1X authentication
There are three primary components of authentication:
- Supplicant. The supplicant is the endpoint or client device. This could be a desktop computer, a laptop, a smartphone, or even an IoT device or network printer. While the term supplicant can be referring to the client device, or the software running on that device (the term is used interchangeably), the supplicant always is the device that is requesting to be authenticated.
- Authenticator. The authenticator is a device that provides a gateway to the network for the supplicant. It initiates a connection to the supplicant when it recognizes it on its link (wired, or wireless). The authenticator establishes a data link, or Layer 2 connection in the OSI model, and then acts as a security guard – allowing or denying the device’s connectivity. In most cases, this is an Ethernet switch or a wireless access point.
- Authentication Server. The authentication server acts as the network’s centralized security management resource. It determines the security policies and methods of authentication and entry for the network. It instructs the authenticator, which allow it to decide who whether it will allow or disallow the supplicant. This is usually based on the network engineer’s specified security procedures, such as a certificate or username and password combination. Many times, the authentication server is a standalone device such as a RADIUS server. However, in smaller networks, the authentication server resides inside a networking device, like the switch or access point.
What’s a typical 802.1X authentication process look like?
Typically, authentication is going to occur anytime a specific device is trying to gain access to the network. This is going to happen as soon as a networking endpoint is turned on. At this point, the authentication process needs to be completed before doing anything, even acquiring an IP address. Here’s what those authentication steps look like:
- Initialization. The first step is initiated by the authenticator. When the authenticator sees an attempt by the supplicant to gain access to the switch or the Wi-Fi access point, it sends a request/identify message to the supplicant.
- Initiation. The supplicant receives the request/identity message, and responds with a message that identifies itself. At this point, the authenticator is going to forward this to the authentication or RADIUS server.
- Negotiation. When the authentication server receives this message, it will ask for the supplicant’s credentials, passing this challenge back through the authenticator. This can be user ID and password, multi factor combinations with tokens, biometric data, or/and certificates.
- Authentication. The supplicant responds to this challenge, and it’s forwarded back to the authentication server where it is verified by the RADIUS server’s database.
- Access. If everything is valid, the authentication server passes this back to the authenticator, which allows the supplicant access to the network. Access will be based on the supplicants’ credentials, as well as other criteria such as location, and even specific security events that are occurring at the time.
This process makes for a very effective, current, and proactive security regime to keep the network safe at all times.
The pros and cons of 802.1X authentication
Pros
- 802.1X is mature. One of the greatest benefits is its maturity and stability. It is tried, tested, and true, and running in production on networks globally.
- Vendor agnostic. 802.1X is an industry standard. This is very important as time moves forward with multiple vendors and products. You can always rely on 802.1X as a standardized system.
- It is strong. 802.1X has a strong security profile. It is relied on very heavily to protect thousands of networks and millions of users.
- It is reliable. 802.1X is still in use and updated today because of its strong reliability history. It is the type of protocol that can be implemented and will not cause problems down the road.
- It is scalable. 802.1X has excellent scalability and versatility characteristics. It can support multiple RADIUS servers, different types of security profiles, and endless combinations of authentication policies.
Cons
- 802.1X is secure, but not invulnerable. 802.1X ultimately relies on the security of the policies you create. If authentication simply requires a username and password, then that password can be cracked using dictionary attacks. There’s session hijacking and man-in-the-middle attacks that can also be effective. So, take care to ensure that your 802.1X network is sufficiently secure and monitored.
- Cost. If your network devices support 802.1X today, great! If not, replacing legacy network equipment with gear that can support 802.1X can present expense in getting set up.
- Usability. Your network may see a lot of device churn with new, unmanaged devices (such as a guest network). Managing the access of those devices can become cumbersome. Proper network design ensuring unmanaged devices don’t connect to your network can resolve this downside.
- Interoperability. Many wired LAN components may not fully support 802.1X and all of its features. Generally, this will be a problem in older pieces of equipment. It is also true in some newer IoT devices.
How do I know my network needs 802.1X authentication?
The simple answer to this is: Yes. But nothing in life is ever simple!
802.1X authentication can be the keystone to your network security program, protecting your network from unauthorized and unknown devices. There are other methods for authenticating users on to your network, but none are quite as robust, or as much of an industry standard.
So the real question should be, “Why have I not implemented 802.1X and all of its available features yet?”. If you don’t have a good answer to this question, then start looking at implementing it in your network. Follow-up that question with another: what other security technologies do you need to work with 802.1X to produce good strong security for your company?
802.1X has been around for a long time. It has gone through enormous change and innovation over the years, and is still the baseline authentication method on networks worldwide. While it is not the be all and end all of network access and security, it’s a very good start.
Your goal as a network manager should be to ensure that you have a good network management system in place along with a consistent 802.1X implementation. Then, once this is in place you should be moving towards building out greater security tools, such as more active RADIUS servers, multi-factor authentication, and NAC network access control systems.