802.1X Port-Based Network Access Control

IEEE 802.1X is a standard for port-based Network Access Control (NAC) that provides authentication and authorization mechanisms for controlling access to network resources. It operates at the link layer of the network protocol stack and is commonly used in Ethernet networks.

802.1X allows for secure and controlled access to a network by authenticating devices (such as computers or other network devices) before granting them access to the network. It prevents unauthorized devices from connecting to the network and helps ensure that only authenticated and authorized devices are allowed to communicate.

The 802.1X authentication process involves three entities:

1- The supplicant (the device seeking network access),

2- The authenticator (such as a switch or wireless access point), and

3- The authentication server (typically a Remote Authentication Dial-In User Service or RADIUS server).

When a device attempts to connect to the network, the authenticator requests the supplicant to provide credentials or other forms of authentication, such as digital certificates. The supplicant sends this information to the authentication server for verification. If the authentication is successful, the authenticator grants access to the network; otherwise, access is denied.

The authentication server verifies the identity and credentials of the supplicant using a directory service (such as LDAP or SAML) and sends back a success or failure message to the authenticator.

802.1X can be used in conjunction with other security protocols, such as Extensible Authentication Protocol (EAP), to provide a robust and flexible network access control solution. It helps enhance network security by ensuring that only authorized devices and users can access the network and helps prevent unauthorized access and potential security breaches.

The Extensible Authentication Protocol (EAP)

is a network authentication framework used in wireless and wired networks to provide secure and flexible authentication methods. It is defined by the Internet Engineering Task Force (IETF) and is widely implemented in various network protocols, including IEEE 802.1X, which is used for network access control.

EAP allows for the exchange of authentication messages between a client device (supplicant) and an authentication server. It supports multiple authentication methods, known as EAP methods, which can include passwords, digital certificates, token-based authentication, public key authentication, and more. The specific EAP method used depends on the network infrastructure and the authentication requirements.

The flexibility of EAP allows organizations to choose the most appropriate authentication method for their network environment. It enables strong authentication and helps prevent unauthorized access to the network. EAP is commonly used in wireless networks, such as Wi-Fi networks, to authenticate users and ensure secure communication between clients and access points.

One notable feature of EAP is its ability to support mutual authentication, where both the client and the server verify each other's identities. This ensures that both parties can trust each other before establishing a secure connection.

EAP is designed to be extensible, allowing for the development and integration of new authentication methods as security needs evolve. This flexibility makes EAP a widely adopted and standardized framework for network authentication in various environments, including enterprise networks, public hotspots, and telecommunications networks.

Some of the most common types of EAP are:

1- EAP-MD5: A simple and basic EAP method that uses a one-way hash function to verify a password. It does not provide mutual authentication, dynamic key generation, or encryption. It is not recommended for wireless networks due to its low security.

2- EAP-TLS: A certificate-based EAP method that provides mutual authentication, dynamic key generation, and encryption. It requires both the supplicant and the authentication server to have valid certificates. It is considered one of the most secure EAP methods.

3- EAP-PEAP: A tunneled EAP method that creates a secure channel between the supplicant and the authentication server using TLS. It then uses another EAP method (such as MSCHAPv2 or GTC) inside the tunnel to authenticate the supplicant. It only requires the authentication server to have a certificate, not the supplicant. It provides mutual authentication, dynamic key generation, and encryption.

4- EAP-TTLS: Another tunneled EAP method that creates a secure channel between the supplicant and the authentication server using TLS. It then uses another protocol (such as PAP, CHAP, or MSCHAP) inside the tunnel to authenticate the supplicant. It only requires the authentication server to have a certificate, not the supplicant. It provides mutual authentication, dynamic key generation, and encryption.

5- EAP-FAST: A tunneled EAP method that creates a secure channel between the supplicant and the authentication server using a pre-shared key (PSK) or a certificate. It then uses another EAP method (such as GTC or MSCHAPv2) inside the tunnel to authenticate the supplicant. It does not require certificates, but can use them optionally. It provides mutual authentication, dynamic key generation, and encryption.

6- Cisco LEAP: A proprietary EAP method developed by Cisco that uses MSCHAP to authenticate the supplicant. It does not provide mutual authentication, dynamic key generation, or encryption. It is vulnerable to dictionary attacks and is not recommended for wireless networks due to its low security.