802.1X Port Access Control for WLANs - Page 2
September 05, 2003
Knock, Knock, Who's There?
Throughout most of the 802.1X exchange, the switch or access point ("the authenticator") is just a middle man, relaying EAP messages between the station ("the supplicant") and a RADIUS server ("the authentication server"). For example, the station is asked to supply its identity, which the authenticator relays inside a RADIUS Access-Request. Based on the station's identity, the RADIUS server issues a RADIUS Access-Challenge, the content of which the authenticator relays to the station. And so on, until the RADIUS server makes a decision to accept or reject the access request.
This 802.1X framework consolidates decision-making at the RADIUS server, so that ACLs no longer have to be individually configured into every switch or access point. It also allows stations to identify themselves with credentials other than MAC address. For example, the station's identity can be a Windows login, followed by a CHAP challenge/response to verify the station's password. Or the station's identity can be an X.500 Distinguished Name, bound to a digital certificate verified via public/private key cryptography. As we shall see, supporting a wide variety of authentication schemes proves to be both an asset and challenge for 802.1X deployment.
One More Thing: Here's Your Key
In WLANs, an additional step follows EAP Success: an EAPOW Key exchange. This provides the access point and station with secret session keys to be used by Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) to encrypt traffic sent over the WLAN.
The original 802.1X standard used a single EAPOW Key message for this purpose, but the new improved 802.1X (called 802.1aa) uses a four-way handshake to prevent man-in-the-middle attacks that might otherwise compromise these keys. After both ends of the wireless association -- the station and the access point -- have session keys, data sent over the air can be encrypted to prevent eavesdropping.
In fact, this relationship between 802.1X and data encryption turns out to be just as important to WLAN security as controlling access and authenticating stations. Exchanging session keys with 802.1X is much more resistant to WEP key cracking than using static, manually-configured shared WEP keys. The desire to use dynamic, automatically-generated per-session keys is a significant driver promoting 802.1X deployment, particularly in larger WLANs where managing static WEP keys is difficult anyway.
Drilling Down Into EAP
At this point, you should have a pretty good idea about where 802.1X fits into your network and what happens when a station tries to access a LAN using 802.1X. Deploying 802.1X port access control requires support on all three devices involved in this exchange: supplicant software on stations, authenticator support in access point firmware, and an 802.1X-compatible authentication server.
As you might guess, all three devices must support the same versions of 802.1X and the same authentication methods, and that's where 802.1X deployment gets tricky. In particular, you'll need to find products that support one or more EAP types -- the variations of EAP that support different kinds of authentication.
In part two of this primer, we'll drill down into available EAP types and learn how to choose compatible products to deploy 802.1X in your LAN.