802.1X Port Access Control for WLANs
September 05, 2003
The essential ingredient to keeping out the Wi-Fi riff-raff is denying them physical access (and permitting access to authorized users). That's where port access control comes in.
Securing any kind of network involves allowing authorized parties to access traffic and networked resources (e.g., servers, hosts) while blocking outsiders. One essential ingredient in this recipe: permitting or denying physical attachment to the underlying communications medium.
In Ethernet LANs, this has long been accomplished by disabling unused RJ-45
jacks and latching Media Access Control (MAC) addresses
Fortunately, there is a better answer: the LAN Port Access Control framework
defined by the IEEE
Why LAN Port Access?
MAC forgery is possible on wired and wireless LANs (WLANs), but the risk is greater on wireless. In a wired Ethernet, intruders can't easily learn valid MAC addresses. An unsupervised visitor might look at a PC's cable tag, plug his own laptop into the jack used by that PC, and reconfigure his NIC to impersonate the PC and gain access. But to pull this off, the intruder needs physical access to the facility and communications medium.In a WLAN, eavesdroppers within several hundred feet of an access point can use freeware sniffers to capture traffic. Even when data is encrypted for privacy, eavesdroppers can record MAC addresses from frame headers. A patient intruder can wait until later to reconfigure his NIC to impersonate a legitimate wireless station. An impatient intruder can reconfigure his NIC right away, send a disassociate request to kick the legitimate station off the air, then immediately reassociate with the access point. Such attacks don't require insider access to your facility -- intruders can be located in nearby parking lots, public hallways, stairways, bathrooms, or adjacent offices.
More robust access control can benefit both wired and WLANs. Many companies also control access at the enterprise firewall or VPN gateway -- for example, permitting packets from known source IPs or prompting user login before permitting sessions through the firewall/gateway. Higher-layer controls are indeed very useful, but insufficient when used alone. For example:
- If your DHCP server hands out IPs to any requesting station, a WLAN intruder doesn't need to do anything extra to pass through an IP-based firewall filter.
- If you assign static IPs, a WLAN intruder can sniff traffic to learn a valid IP -- or systematically guess addresses, starting with common private subnets like 192.168.0.0.
- If users are prompted for login/password without encryption, a WLAN intruder can sniff that exchange and use dictionary attack tools to obtain the user's password from a captured password hash.
- Intruders can do damage without penetrating the firewall/gateway by launching attacks on access points, switches, and peer stations, attempting to break into those systems to steal stored data, or simply flooding the LAN with bogus traffic.
Combining LAN access control with higher-layer controls can mitigate these kinds of threats. If an intruder can't send data through a LAN port, he can't request an IP address from DHCP or systematically guess IPs. If he can't receive data from an Ethernet port, he can't sniff peer traffic or hashed passwords. Unfortunately, one can't stop intruders from receiving or sending traffic over the air. However, port access control can stop intruders from sending traffic through the access point into adjacent networks.
How 802.1X Works
Think of 802.1X as an ON/OFF gate inside Ethernet switches and wireless access points. This gate starts in the OFF position, handling only 802.1X requests until a decision is made to grant the station access. At that point, the gate is thrown into the ON position so that all LAN traffic can be relayed between the station and the upstream network. Eventually, the station times out or disconnects, throwing the gate back into the OFF position.
802.1X defines a management protocol that stations use to request LAN port access. It uses the Extensible Authentication Protocol (EAP) originally defined for dial-up, but here sent over Ethernet LANs (EAPOL) or over wireless (EAPOW). The station must first physically connect to the communications medium -- an Ethernet NIC plugs into a jack; a wireless NIC associates with an access point. The station then sends an "EAP Start" message. This kicks off a flurry of management messages that ends with "EAP Success" or "EAP Failure" (see Figure 1).
So far, 802.1X sounds pretty simple, but here's where the real work happens. EAP is an envelope that can carry many different kinds of authentication -- challenge/response, one time passwords, SecurID tokens, digital certificates, etc. What happens between "EAP Start" and "EAP Success" depends upon the type of authentication being used.