IEEE 802.1X is an authentication method for Port-Based Network Access Control (PNAC) which accepts or rejects devices wanting to have access to your network. 802.1X protocol works both on wired and wireless devices.
Think of it like this, you have a large money transfer, and you log in to your bank account but horrors, but it is a third-party website that looks just like your bank’s official site and has been designed solely for the purpose of stealing your account details.
Phishing scams are more common than you think.
“IBM’s 2021 research into the cost of a data breach ranks the causes of data breaches according to the level of costs they impose on businesses. Phishing ranks as the second most expensive cause of data breaches—a breach caused by phishing costs businesses an average of $4.65 million, according to IBM.”
If you throw in other various types of cyber scams that are taking place practically every second around the globe, you are looking at a trillion-dollar cost to the global economy.
It’s no wonder, that as we become more and more connected, cybersecurity and authentication protocols become more and more critical.
What Is 802.1X Authentication?
In most home networks, the WPA2 security protocol is used where a user can have access to a network with just the username and password. But when dealing with a lot of sensitive information, WPA2 isn’t enough to ensure security.
IEEE 802.1x is a standard defined by the IEEE 802.1x working group for addressing port-based access control employing authentication for wired and wireless networks.
802.1X protocol uses an authentication server called a RADIUS server.
When a device seeks access to a network, its credentials are sent to the server via the authenticator to grant different types of access.
This ensures that only the right user is accessing the network for the intended purpose. Before we dive into 802.1X EAP security, let’s see how 802.1X works.
How Does 802.1X Work?
In 802.1X authentication, the user simply sends a digital certificate via the authenticator to the RADIUS server to confirm its identity and get access to the network. Based on the certificate, the RADIUS server grants or denies the user access to the desired network.
Though it sounds simple, the procedure has several different steps and components that work together.
What Is 802.1X EAP-TLS Authentication?
EAP or Extensible Authentication Protocol is a standard authentication protocol for 802.1X.
It is also the most commonly used protocol. Different EAP methods are there, but EAP-TLS is the only certificate-based authentication method.
So, it ensures the maximum safety of your network. EAP-TLS is also the fastest authentication method among all EAP methods.
For example, the EAP-TLS method is twice as faster as the EAP-TTLS method. Let’s take a closer look at the components of the EAP-TLS method.
Common EAP Based Authentication Methods
Some industry-standard EAP authentication methods that are commonly used are:
Light Weight EAP (LEAP) –
The authentication process is where the client simply provides the AS its credentials, such as the username and password.All messages between the AS and client are encrypted. This ensures that the client is authorized to access the network.
EAP Flexible Authentication by Secure Tunneling (EAP-FAST) –
In this EAP method, access is granted only after passing through three phases. It’s essential that for communication to be established between the AS and the supplicant, a Protected Access Credential (PAC) should be passed.
Protected EAP (PEAP) –
it uses inner and outer authentication.A digital certificate is presented by the AS to authenticate itself with the supplicant in the outer authentication.
EAP Transport Layer Security (EAP-TLS) –
Certificates are exchanged between the As and the supplicant. This process authenticates each other. Moreover, to ensure a further layer of security, key data is funneled through an encrypted TLS tunnel. This is by far the most secure wireless authentication method; however, proper implementation and configuration can be a bit of a challenge.
Components of EAP-TLS Authentication
There are three major parts to the EAP-TLS authentication method. Here’s a quick
breakdown of these parts.
Supplicant
A supplicant or client is the device that wants to connect to a network via a secure
tunnel. For 802.1X authentication, the client device needs supplicant software
installed to transmit the user’s certificate to the server via the authenticator.
Fortunately, most devices have supplicant software built-in. But if a device doesn’t
have a supplicant, you can install the software separately. The authenticator will
always reject a device requesting access without a supplicant.
Authenticator
The authenticator is also known as the switch. You can call it the middleman
between the client and the server that exchanges information between these two
parties. Firstly, the switch starts EAPoL (Extensible Authentication Protocol over
LAN) to the supplicant.
The client’s response is then forwarded to the RADIUS server. Once the server
authenticates the client, the switch gives the client access to that network. Depending
on the attributes of the connection sent by the server, the switch determines the
access level of the client.
RADIUS Server
A RADIUS server is like the security personnel standing at the entrance of your offices who asks for an identity card when someone wants to enter the office premises. Likely, the RADIUS server demands a credential or certificate from the client when it wants to connect to a secure network.
Access is only granted when the client submits a valid certificate, and the server confirms it. But unlike security personnel, the RADIUS server also sends a server certificate to the client so that the client knows it is being connected to the right server.
As a result, a secured EAP tunnel is built between the client and the server to transfer data without any interception midway.
How Does 802.1X EAP-TLS Authentication Work?
802.1X EAP-TLS authentication method works in four steps.
Initialization
This step starts automatically when the authenticator senses a device wanting to connect to the secure network. In this step, the authenticator port is unauthorized.
Initiation
After detecting the devices, the authenticator or switch starts sending EAP requests to the client or device.
The device responds to this request and sends its information to the authenticator.
The authenticator then forwards this information to the RADIUS server for authentication.
Negotiation
After receiving the access request from the authenticator, the RADIUS server sends an access challenge packet to the client via the authenticator. It also sends a server validation certificate along with the packet.
Authentication
Once the client has passed the access challenge packet back, the authenticator state is changed to authorized. A port is opened for the authenticated client to transfer data securely.
802.1X Authentication In Wired Devices
A client can wirelessly establish a connection to the authenticator. But if you want to authenticate a wired device, that’s also possible.
The connection process is pretty similar, except that your device should be connected to the switch via Ethernet.
Everything else is the same as the wireless 802.1X authentication. But remember, you need a switch that is capable of 802.1X authentication.
Is 802.1X Secure?
802.1X can be the safest network authentication protocol if you know how to use it.
But there can be some vulnerabilities as well that depends on the user. As manually configuring the device requires a lot of technical knowledge, an average user should let the configuration process be done through onboarding software.
Otherwise, there can be risks of credential theft.
Another vulnerability is when someone uses credential-based authentication.
As certificate-based authentication is used in the EAP-TLS method, it is the most secure network authentication method.
IDENTITY-BASED NETWORKING SERVICES (IBNS)
Though having the same functionality as 802.1x, IBNS is different from 802.1x. It’s essentially a systems security framework enabling network authentication methods, and only a part of it uses IEEE 802.1x.
IEEE 802.1x is a working group that has defined IEEE 802.1x as a standard for addressing port-based access control using authentication. It defines a standard link- subcaste protocol that’s used for transporting advanced- position authentication protocols and the factual enforcement is via MAC-grounded filtering and harborage state monitoring.
Wrapping up
Ensuring the security of sensitive data requires the implementation of 802.1X authentication. And a certificate-based authentication method like EAP-TLS can be your best friend when network security is your ultimate target. Users will have a faster and better authentication experience in the EAP-TLS method. As this method uses Public-Private Key Cryptography for encryption, no one can intercept your information without access.
Joesphror · August 3, 2022 at 8:39 pm
Great stuff!