802.1X provides user authentication

By Paul Goransson
Network World, 03/25/02

Most end users connect to enterprise networks via a Category 5 wire to an Ethernet switch, but access via 802.11 wireless access points seems poised for rapid growth.

In this era of ever-increasing mobility in wired and wireless scenarios, we can no longer always assume a user's access to a Layer 2 network will be via the same physical port of entry. This mobility has created a need to identify who is attempting to gain access to a given port. The 802.1X standard provides such a solution.

802.1X defines Extensible Authentication Protocol (EAP) over LANs (EAPOL).The standard encapsulates and leverages much of EAP, which was defined for dial-up authentication with Point-to-Point Protocol in RFC 2284.

Beyond encapsulating EAP packets, the 802.1X standard also defines EAPOL messages that convey the shared key information critical for wireless security.

For the purpose of describing 802.1X, we use the term network access server for the box that provides a user's port of entry to a LAN and thus carries the responsibility for authenticating a client.

A network access server is usually an Ethernet switch or a wireless access point. Upon detecting the presence of a client, a network access server sends an EAPOL-encapsulated EAP request-ID to the client.

The client responds with an EAPOL-encapsulated EAP response-ID message containing the user's identification.

The access server then reencapsulates this same EAP response-ID message in a Remote Authentication Dial-In User Service access request packet and forwards this to a RADIUS server.

EAP messages are relayed between the client and RADIUS by the access server, on the client side encapsulated in EAPOL, and on the server side inside a RADIUS packet.

In the final step, the RADIUS server responds with a RADIUS access accept (or deny) packet containing an encapsulated EAP success (or failure), which the network access server then forwards to the client.

In the case of success, the port is considered opened for data traffic and the user authenticated.

However, a twist in the 802.1X protocol exchange may occur in a wireless environment when encryption is being used. There is some confusion in the user community about the role 802.1X plays in Wired Equivalent Privacy (WEP) encryption, and this is a topic of hot debate.

The simple answer is that if static keys are used for WEP encryption, 802.1X plays no direct role; once the port is authenticated, subsequent packets between client and wireless access point are encrypted using those static keys.

This static-key WEP encryption is widely held to be far too easy to crack, and 802.1X plays a direct role when dynamic session keys are used. In this case, the RADIUS access accept will include session keys, which are used by the wireless access point to build, sign and encrypt an EAPOL key message.

This is sent to the client immediately following the EAP success message. With this information, both client and wireless access point can program their encryption keys dynamically, making the encryption more difficult to crack.

Future

There are a number of emerging applications for 802.1X. High-end LAN switches often provide advanced capabilities such as quality of service and virtual LANs that could be automatically configured for a port based on the authenticated user. Another application is public access to the Internet via wireless LANs. An ISP offering such a service must be able to authenticate and bill for that public access.

Because of the potential growth of this type of wireless LAN public access, it is no surprise that the IEEE committee focused on security issues in 802.11 wireless LANs (subgroup 802.11i) is discussing many improvements to 802.11 wireless access security. Since 802.1X remains at the core of these security mechanisms, we are likely to see additions and refinements in the use of 802.1X in wireless environments.

802.1X provides user authentication

Future

Related Links