802.1X in action

The use of IEEE 802.1X offers an effective framework for authenticating and controlling user traffic to
a protected network, as well as dynamically varying encryption keys. 802.1X ties a protocol called EAP
(Extensible Authentication Protocol) to both the wired and wireless LAN media and supports multiple
authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public
key authentication.

Initial 802.1X communications begins with an unauthenticated supplicant (i.e., client device)
attempting to connect with an authenticator (i.e., 802.11 access point). The access point responds by
enabling a port for passing only EAP packets from the client to an authentication server located on the
wired side of the access point. The access point blocks all other traffic, such as HTTP, DHCP, and POP3
packets, until the access point can verify the client's identity using an authentication server (e.g.,
RADIUS). Once authenticated, the access point opens the client's port for other types of traffic.

To get a better idea of how 802.1X operates, the following are specific interactions that take place
among the various 802.1X elements:

1.      The client sends an EAP-start message. This begins a series of message exchanges to
authenticate the client; think of this as a group of visitors entering the front gate of a theme park and
the group's leader (i.e., client) asking the gatekeeper (i.e., access point) whether they can enter.

2.      The access point replies with an EAP-request identity message. In the case of the theme park,
the gatekeeper will ask the leader for their name and drivers license.

3.      The client sends an EAP-response packet containing the identity to the authentication server.
The leader in our example will provide their name and drivers license, and the gatekeeper forwards
this information to the group tour manager (i.e., authentication server) who determines whether the
group has rights to enter the park.

4.      The authentication server uses a specific authentication algorithm to verify the client's identity.
This could be through the use of digital certificates or other EAP authentication type. In the case of
our example, this process simply involves verifying the validity of the leader's drivers' license and
ensuring that the picture on the license matches the leader. In our example, we'll assume the leader
is authorized.

5.      The authentication server will either send an accept or reject message to the access point. So
the group tour manager at the theme park tells the gatekeeper to let the group enter.

6.      The access point sends an EAP-success packet (or reject packet) to the client. The gatekeeper
informs the leader that the group can enter the park. Of course the gatekeeper would not let the
group in if the group tour manager had rejected the group's admittance.

7.      If the authentication server accepts the client, then the access point will transition the client's
port to an authorized state and forward additional traffic. This is similar to the gatekeeper
automatically opening the gate to let in only people belonging to the group cleared for entry.

The basic 802.1X protocol provides effective authentication regardless of whether you implement
802.11 WEP keys or no encryption at all. If configured to implement dynamic key exchange, the
802.1X authentication server can return session keys to the access point along with the accept
message. The access point uses the session keys to build, sign and encrypt an EAP key message that
is sent to the client immediately after sending the success message. The client can then use contents
of the key message to define applicable encryption keys. In typical 802.1X implementations, the client
can automatically change encryption keys as often as necessary to minimize the possibility of
eavesdroppers having enough time to crack the key in current use.

802.1X not the whole solution

It's important to note that 802.1X doesn't provide the actual authentication mechanisms. When
utilizing 802.1X, you need to choose an EAP type, such as Transport Layer Security (EAP-TLS) or EAP
Tunneled Transport Layer Security (EAP-TTLS), which defines how the authentication takes place.

Content Copyright © Original Author