IEEE 802.1x is a standard for port-based network access control.
It provides an authentication mechanism for local area networks and wireless area networks.
802.1x is made up of the following components:
Extensible Authentication Protocol
This message format and framework provides an encapsulated transport for authentication parameters
Different authentication methods can be used with EAP
EAP over LAN (EAPoL)
The Layer 2 encapsulation protocol defined by 802.1x for the transport of EAP messages over IEEE 802 wired and wireless networks
EAP uses RADIUS as the AAA protocol
802.1x devices have the following roles:
The supplicant is software on the endpoint that communicates and provides identity credentials through EAPoL with the authenticator.
Common 802.1x supplicants include Windows and macOS supplicants as well as Cisco AnyConnect.
These supplicants can carry out user or machine authentication
A network access device (NAD) such as as switch or wireless LAN controller controls access to the network based on the authentication status of the user or endpoint.
The authenticator acts the liaison, taking Layer 2 EAP-encapsulated packets from the supplicant and encapsulating them into RADIUS packets for delivery to the authentication server
The RADIUS server performs authentication of the client. The authentication server validates the identity of the endpoint and provides with authenticator with an authorisation result.
The EAP identity exchange and authentication occur between the supplicant and authentication server.
- The authenticator notices a port coming online. It will start the authentication process by sending periodic EAP-Request/Identify frames. The supplicant can also inititate the authentication process by sending an EAPoL/Start message to the authenticator
- The authenticator relays the EAP messages between the supplicant and the authenticator by copying the message from the EAPoL frame to an AV-pair inside a RADIUS packet and vice versa.
- Authentication takes place using a selected EAP method
- If the authentication is succesful, the authentication server will return a RADIUS access-accept message with an encapsulated EAP-success message as well as an authorisation option such as a downloadable ACL. When this is completed, the authenticator will grant access on the port
The authenticator has no idea what EAP type is in use but it takes the EAPoL encapsulated frame from the supplicant and encapsulates it within a RADIUS packet sent to the authentication server. The authentication server will direct the authenticator whether to open up the port or not. The EAP authentication itself is transparent to the authenticator; all it does is forward on a message.
There are many different EAP methods available. Most of them are based on Transport Layer Security.
The most commonly used EAP methods:
- EAP challenge-based authentication method
- Extensible Authentication Protocol – Message Digest 5 (EAP-MD5)
- EAP TLS authentication method
- Extensible Authentication Protocol – Transport Layer Security (EAP-TLS)
- EAP tunnelled TLS authentication methods
- Extensible Authentication Protocol Flexible Authentication via Secure Tunnelling (EAP-FAST)
- Extensible Authentication Protocol Tunnelled Transport Layer Security (EAP-TTLS)
- Protected Extensible Authentication Protocol (PEAP)
- EAP inner authentication methods
- EAP Generic Token Card (EAP-GTC)
- EAP Microsoft Challenge Handshake Authentication Protocol Version 2
- EAP TLS
EAP inner authentication methods are tunnelled within PEAP, EAP-FAST and EAP-TTLS.
PEAP, EAP-FAST, and EAP-TTLS are known as outer or tunnelled TLS authentication methods.
Tunnelled TLS authentication methods establish a TLS outer tunnel between the supplicant and the authentication server.
Once the encrypted tunnel is established, client authentication credentials are negotiated using one of the EAP inner methods.
This tunnelling method is similar to the way a HTTPS session is established between a web browser and a server.
EAP-MD5 uses the MD5 message-digest algorithm to hide credentials in a hash.
The hash is sent to an authentication server where it is compared to a local hash to validate the accuracy of the credentials.
EAP-MD5 does not have a mechanism for mutual authentication. The authentication server can only authenticate the supplicant, but the supplicant is unable to validate the authenticate the authentication server to see if it is trustworthy.
This lack of mutual authentication makes it a not recommended authentication method
EAP-TLS uses the TLS Public Key Infrastructure (PKI) certification authentication mechanism to provide mutual authentication of supplicant to authentication server and authentication server to supplicant.
Both the supplicant and the authentication server must be provided with a digital certificate signed by a certified authority that both devices trust.
This is the most secure authentication method, but requires the most administrative work as a certificate needs to be installed on both the client and the server
With PEAP only the authentication server requires a certificate which reduces the administrative workload.
PEAP forms an encrypted TLS tunnel between the supplicant and the authentication server.
After the tunnel has been established, PEAP uses one of the below EAP authentication inner methods to authentication the supplicant through the outer PEAP TLS tunnel
EAP-MSCHAPv2 / PEAPv0
The clients credentials are sent to the server encrypted inside of a MSCHAPv2 session.
This is the most common inner method and allows for simple transmission of the username and password, computer name or computer password to the RADIUS server.
The RADIUS server can authenticate these details against Active Directory
EAP-GTC / PEAPv1
Cisco created EAP-GTC as an alternative to EAP-MSCHAPv2 to allow generic authentications to any identity store, including OTP token servers, LDAP, NetIQ eDirectory and so on.
EAP-TLS / PEAPv1
The most secure EAP inner authentication as it is a TLS tunnel within another TLS tunnel. It requires certificate to be installed on the authentication server and the supplicant.
EAP-FAST is similar to PEAP. Developed by Cisco Systems as alternative to PEAP to allow faster reauthentication and support for faster wireless roaming.
Similar to PEA, EAP-FAST forms a TLS outer tunnel and then transmits the client authentication credentials within that outer tunnel.
FAST has an ability to reauthenticate faster by using protected access credentials (PAC).
A PAC is similar to a secure cookie, stored locally on the host as proof of a successful authentication.
EAP-Fast supports EAP-Chaining
EAP-TTTLS is similar to PEAP but is not as widely supported.
EAP-TTLS can support additional inner methods such as legacy Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
EAP-FAST includes the option of EAP Chaining. EAP chaining enables user and machine authentication to be combined into a single overall authentication result.
This allows for the assignment of greater privileges or posture assignments to users who connect to the network using a corporate managed device for example