802.1X Network Access Control

802.1X, colloquially called Dot1x, a working group within the IEEE 802 project for standards in local area networks (LAN). The focus of this working group is on port-based authentication and authorization in 802-based networks.

Table of Contents

Where and for what can I use the 802.1X standard?

The 802.1X standard is used in both classic wired and wireless networks. The aim of the standard is to keep unwanted users and devices out of the network. Therefore, Dot1x is a useful addition to the mains separation.

802.1X not only regulates where and when “intended” users can access your network, but also whether “unintended devices” get any form of access at all.

For example: No access to the internal network but access to the Internet or a network filled with honeypots.

Authentication, authentication and authorization

Authentication is proof of your own identity to a third party.

Authentication is the verification of proof of identity.

Authorization is the granting of rights based on the authentication result.

The core components of 802.1X

Authentication via 802.1X basically consists of three components:

  • The supplicant: a user or device who wants to authenticate themselves in order to gain access to the network.
  • The authenticator: often a switch or a WLAN access controller (access point) that requires authentication of the supplicant.
  • The authentication server: the AAA server (e.g. RADIUS) that processes the authentication and tells the authenticator which measures should be implemented for the supplicant (e.g. assign access control lists (ACLs) and VLANs).

Unfortunately, it should be noted that not every device is Dot1x-capable. For example, network printers are often left out and cannot be made 802.1X-capable by free software projects.

To circumvent this problem, some authenticators offer the option of "MAC bypass": The affected device can authenticate itself using its MAC address. However, it must be pointed out that this runs the risk of creating a gateway for an attacker using MAC spoofing.

Communication path from the supplicant to the switch to the authentication server.
Communication path from the supplicant to the switch to the authentication server.

The EAP Framework​

The EAP (Extensible Authentication Protocol) is based in the OSI layer model directly on the data security layer (Data Link Layer). In 802 networks, the abbreviations EAPoL and EAPoW (for LAN and WLAN) are also frequently encountered.

As a framework, EAP offers many different authentication methods that can be used alone or flexibly combined with an authentication server: starting with classic user/password authentication (MD5 challenge) to OTP challenges (one-time password) and TLS and GSM/UMTS SIM cards, but also Certificates or Kerberos-Tickets.

 

No response from the supplicant and the "Fail" action that is taken.
No response from the supplicant and the "Fail" action that is taken.

Process of an 802.1X authentication

An authenticator's port status determines whether a supplicant is allowed access to services on the LAN. The port begins in the unauthorized state. In this state, the port forbids all incoming and outgoing traffic, except for 802.1x packets.

If the supplicant is successfully authenticated, the port changes to the authorized condition. This normalizes the data traffic for the new network participant based on the rules and measures that apply to it.

A successful login with EAP/PEAP and the authorization of the port.
A successful login with EAP/PEAP and the authorization of the port.
Newsletter Form

Become a Cyber ​​Security Insider

Get early access and exclusive content!


OTHER CONTRIBUTIONS

Table of Contents

PSN_KU_Cover
NewsLetter Form Pop Up New

Become a Cyber ​​Security Insider

Subscribe to our knowledge base and get:

Early access to new blog posts
Exclusive content
Regular updates on industry trends and best practices


Please accept the cookies at the bottom of this page to be able to submit the form!