How 802.1x authentication works

Benefits of WLAN

Wireless LANs offer two things central to the adoption of communications technologies: reach and economy. Scalable end-user reach is gained without stringing wires, and the users themselves often feel empowered by their unfettered Internet access. In addition, IT managers find the technology a means to possibly stretch scarce budgets.

However, without stringent security to protect network assets, a WLAN implementation could offer a false economy. With Wired Equivalent Privacy (WEP), the old 802.1x WLAN security feature, networks could be easily compromised. This lack of security caused many to realize that WLANs could cause more problems than they were worth.

Overcoming the inadequacies of WEP

WEP, a data privacy encryption for WLANs defined in 802.11b, didn't live up to its name. Its use of rarely changed, static client keys for access control made WEP cryptographically weak. Cryptographic attacks allowed attackers to view all data passed to and from the access point.

WEP's weaknesses include the following:

  • Static keys that are rarely changed by users.
  • A weak implementation of the RC4 algorithm is used.
  • An Initial Vector sequence is too short and "wraps around" in a short time, resulting in repeated keys.

Solving the WEP problem

Today WLANs are maturing and producing security innovations and standards that will be used across all networking mediums for years to come. They have learned to harness flexibility, creating solutions that can be quickly modified if weaknesses are found. An example of this is the addition of 802.1x authentication to the WLAN security toolbox. It has provided a method to protect the network behind the access point from intruders as well as provide for dynamic keys and strengthen WLAN encryption.

802.1X is flexible because it's based on Extensible Authentication Protocol. EAP (IETF RFC 2284) is a highly pliable standard. 802.1x encompasses the range of EAP authentication methods, including MD5, TLS, TTLS, LEAP, PEAP, SecurID, SIM and AKA.

More advanced EAP types such as TLS, TTLS, LEAP and PEAP provide mutual authentication, which limits man-in-the-middle threats by authenticating the server to the client, in addition to just the client to the server. Furthermore, these EAP methods result in keying material, which can be used to generate dynamic WEP keys.

The tunneled methods of EAP-TTLS and EAP-PEAP actually provide mutual authentication to other methods that utilize the familiar user ID/password methods, i.e. EAP-MD5, EAP-MSCHAP V2, in order to authenticate the client to the server. This method of authentication occurs through a secure TLS encryption tunnel that borrows techniques from the time-tested secure Web connections (HTTPS) used in online credit card transactions. In the case of EAP-TTLS, legacy authentication methods can be employed through the tunnel, such as PAP, CHAP, MS CHAP and MS CHAP V2.

In October 2002, the Wi-Fi Alliance announced a new encryption solution that supersedes WEP called Wi-Fi Protected Access (WPA). This standard, formerly known as Safe Secure Network, is designed to work with existing 802.11 products and offers forward compatibility with 802.11i. All of the known shortcomings of WEP are addressed by WPA, which features packet-key mixing, a message integrity check, an extended initialization vector and a rekeying mechanism.

WPA, the new tunneled EAP methods and the natural maturing of 802.1x should result in more robust adoption of WLAN by the enterprise as security concerns are mitigated.

How 802.1x authentication works

A common network access, three-component architecture features a supplicant, access device (switch, access point) and authentication server (RADIUS). This architecture leverages the decentralized access devices to provide scalable, but computationally expensive, encryption to many supplicants while at the same time centralizing the control of access to a few authentication servers. This latter feature makes 802.1x authentication manageable in large installations.

When EAP is run over a LAN, EAP packets are encapsulated by EAP over LAN (EAPOL) messages. The format of EAPOL packets is defined in the 802.1x specification. EAPOL communication occurs between the end-user station (supplicant) and the wireless access point (authenticator). The RADIUS protocol is used for communication between the authenticator and the RADIUS server.

The authentication process begins when the end user attempts to connect to the WLAN. The authenticator receives the request and creates a virtual port with the supplicant. The authenticator acts as a proxy for the end user passing authentication information to and from the authentication server on its behalf. The authenticator limits traffic to authentication data to the server. A negotiation takes place, which includes:

  • The client may send an EAP-start message.
  • The access point sends an EAP-request identity message.
  • The client's EAP-response packet with the client's identity is "proxied" to the authentication server by the authenticator.
  • The authentication server challenges the client to prove themselves and may send its credentials to prove itself to the client (if using mutual authentication).
  • The client checks the server's credentials (if using mutual authentication) and then sends its credentials to the server to prove itself.
  • The authentication server accepts or rejects the client's request for connection.
  • If the end user was accepted, the authenticator changes the virtual port with the end user to an authorized state allowing full network access to that end user.
  • At log-off, the client virtual port is changed back to the unauthorized state.

Conclusion

WLANs, in combination with portable devices, have tantalized us with the concept of mobile computing. However, enterprises have been unwilling to provide employees mobility at the expense of network security. Wireless manufacturers expect the combination of strong flexible mutual authentication via 802.1x/EAP, along with the improved encryption technology of 802.11i and WPA, to allow mobile computing to achieve its full potential within security-conscious environments.

Jim Burns is a senior software engineer at Portsmouth, N.H.-based Meetinghouse Data Communications Inc.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.