A wireless node must be authenticated before it can gain access to other LAN resources
IEEE 802.1X is an IEEE standard for port-based Network Access Control; it is part of the IEEE 802 (802.1) group of protocols. It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails. It is used for certain closed wireless access points, and is based on the EAP, Extensible Authentication Protocol (originally RFC 2284, now RFC 3748).
802.1X can be configured to authenticate hosts equipped with supplicant software, denying unauthorized access to the network at the data link layer.
Some vendors implement 802.1X for wireless access points to address the security vulnerabilities of WEP (see 802.11i) when an access point needs to be operated as a closed access point. Authentication is usually done by a third-party entity, such as a RADIUS server. This provides for client-only authentication or, more appropriately, strong mutual authentication using protocols such as EAP-TLS.
Upon detection of the new client (supplicant), the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as DHCP and HTTP, is blocked at the data link layer. The authenticator sends out the EAP-Request identity to the supplicant, the supplicant responds with the EAP-response packet that the authenticator forwards to the authenticating server. If the authenticating server accepts the request, the authenticator sets the port to the "authorized" mode and normal traffic is allowed. When the supplicant logs off, it sends an EAP-logoff message to the authenticator. The authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.
Implementations
Windows XP and Windows Vista support 802.1X for all network connections by default. Windows 2000 has support in the latest service pack. Windows Mobile 2003 and later operating systems also come with a native 802.1X client. Windows XP has major issues with an IP address change (Dynamic VLAN) as the result of a user 802.1X validation, and Microsoft will not backport the fix from Vista.
A project for Linux known as Open1X produces an open source client, Xsupplicant. The more general wpa_supplicant can be used for 802.11 wireless networks and wired networks. Both support a very wide range of EAP types[1].
Mac OS X has offered native support since 10.3. The iPhone and iPod Touch will support it with release iPhone OS 2.0 expected June 2008dated info.[2]
Vulnerabilities
In the summer of 2005, Microsoft's Steve Riley posted an article detailing a serious vulnerability in the 802.1X protocol, involving a man in the middle attack. In summary, the flaw is in the fact that 802.1X authenticates only at the beginning of the connection, but that after authentication, it's possible for an attacker to use the authenticated port if he has the ability to physically insert himself (perhaps using a workgroup hub) between the authenticated computer and the port. Riley then suggests that for wired networks, using IPSec or a combination of IPSec and 802.1X would be more secure.
See also
AEGIS (network)
External links
|
