802.1X Offers Authentication and Key Management

By Jim Geier

May 07, 2002

WEP doesn't cut it for serious security. To get true authentication and user control, turning to 80.2.1x is the answer. Here's a step-by-step look at how it works.

With 802.11's optional WEP (Wired Equivalent Privacy), all access points and client radio NICs on a particular wireless LAN must use the same encryption key. Each sending station encrypts the body of each frame with a WEP key before transmission, and the receiving station decrypts it using an identical key upon reception. This process reduces the risk of someone passively monitoring the transmission and gaining access to the information that the frames are carrying.

A major underlying problem with the existing 802.11 standard is that the keys are cumbersome to change. If you don't update the WEP keys often, an unauthorized person with a sniffing tool, such as AirSnort or WEPcrack, can monitor your network for less than a day and decode the encrypted messages. In order to use different keys, you must manually configure each access point and radio NIC with new common keys.

Products based on the 802.11 standard alone offer system administrators no effective method to update the keys. This might not be too much of concern with a few users, but the job of renewing keys on larger networks can be a monumental task. As a result, companies either don't use WEP at all or maintain the same keys for weeks, months, and even years. Both cases significantly heightens the wireless LAN's vulnerability to eavesdroppers.

802.1X in action

The use of IEEE 802.1X offers an effective framework for authenticating and controlling user traffic to a protected network, as well as dynamically varying encryption keys. 802.1X ties a protocol called EAP (Extensible Authentication Protocol) to both the wired and wireless LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication. For details on EAP specifically, refer to IETF's RFC 2284.

Initial 802.1X communications begins with an unauthenticated supplicant (i.e., client device) attempting to connect with an authenticator (i.e., 802.11 access point). The access point responds by enabling a port for passing only EAP packets from the client to an authentication server located on the wired side of the access point. The access point blocks all other traffic, such as HTTP, DHCP, and POP3 packets, until the access point can verify the client's identity using an authentication server (e.g., RADIUS). Once authenticated, the access point opens the client's port for other types of traffic.

To get a better idea of how 802.1X operates, the following are specific interactions that take place among the various 802.1X elements:

1.      The client sends an EAP-start message. This begins a series of message exchanges to authenticate the client; think of this as a group of visitors entering the front gate of a theme park and the group's leader (i.e., client) asking the gatekeeper (i.e., access point) whether they can enter.

2.      The access point replies with an EAP-request identity message. In the case of the theme park, the gatekeeper will ask the leader for their name and drivers license.

3.      The client sends an EAP-response packet containing the identity to the authentication server. The leader in our example will provide their name and drivers license, and the gatekeeper forwards this information to the group tour manager (i.e., authentication server) who determines whether the group has rights to enter the park.

4.      The authentication server uses a specific authentication algorithm to verify the client's identity. This could be through the use of digital certificates or other EAP authentication type. In the case of our example, this process simply involves verifying the validity of the leader's drivers' license and ensuring that the picture on the license matches the leader. In our example, we'll assume the leader is authorized.

5.      The authentication server will either send an accept or reject message to the access point. So the group tour manager at the theme park tells the gatekeeper to let the group enter.

6.      The access point sends an EAP-success packet (or reject packet) to the client. The gatekeeper informs the leader that the group can enter the park. Of course the gatekeeper would not let the group in if the group tour manager had rejected the group's admittance.

7.      If the authentication server accepts the client, then the access point will transition the client's port to an authorized state and forward additional traffic. This is similar to the gatekeeper automatically opening the gate to let in only people belonging to the group cleared for entry.

The basic 802.1X protocol provides effective authentication regardless of whether you implement 802.11 WEP keys or no encryption at all. Most of major wireless LAN vendors, however, are offering proprietary versions of dynamic key management using 802.1X as a delivery mechanism. If configured to implement dynamic key exchange, the 802.1X authentication server can return session keys to the access point along with the accept message. The access point uses the session keys to build, sign and encrypt an EAP key message that is sent to the client immediately after sending the success message. The client can then use contents of the key message to define applicable encryption keys. In typical 802.1X implementations, the client can automatically change encryption keys as often as necessary to minimize the possibility of eavesdroppers having enough time to crack the key in current use.

802.1X not the whole solution

It's important to note that 802.1X doesn't provide the actual authentication mechanisms. When utilizing 802.1X, you need to choose an EAP type, such as Transport Layer Security (EAP-TLS) or EAP Tunneled Transport Layer Security (EAP-TTLS), which defines how the authentication takes place. There are many EAP types, so we'll leave details on EAP types to a future tutorial.

The important part to know at this point is that the software supporting the specific EAP type resides on the authentication server and within the operating system or application software on the client devices. The access point acts as a "pass through" for 802.1X messages, which means that you can specify any EAP type without needing to upgrade an 802.1X-compliant access point. As a result, you can update the EAP authentication type as newer types become available and your requirements for security change.

802.1X is the way to go

The use of 802.1X is well on its way to becoming an industry standard, and you would be wise to include it as the basis for your wireless LAN security solution. Windows XP implements 802.1X natively, and some vendors support 802.1X in their 802.11 access points. Wireless LAN implementations of 802.1X fall outside the scope of the 802.11 standard; however, the 802.11i committee is specifying the use of 802.1X to eventually become part of the 802.11 standard.

To download the 802.1X standard, go to http://www.ieee802.org/1/pages/802.1x.html.

Jim Geier provides independent consulting services to companies developing and deploying wireless network solutions. He is the author of the book, Wireless LANs (2nd Edition), and regularly instructs workshops on wireless LANs.

Originally published on .

Comment and Contribute
(Maximum characters: 1200). You have
characters left.