adam's notes

IEEE 802.1X

IEEE 802.1X Port-based network access control (PNAC) is a standard for encapsulating EAP communications over a LAN (EAPoL) or WLAN (EAPoW) to implement port-based authentication.

  • aka port-based NAC and enterprise authentication
  • allows a switch to require authentication when a host connects to one of its ports
  • uses AAA architecture
    • supplicant is the device requesting access
    • authenticator is the switching device (or network access appliance)
      • does not validate authentication requests directly
      • acts as conduit for authentication data
    • authentication server
      • server that holds or can contact a directory of network objects and that can:
        • validate authentication requests
        • issue authorizations
        • and perform accounting of security events
  • implemented by two protocols:
    • Extensible Authentication Protocol (EAP)
      • allows the use of different mechanisms to authenticate against a network directory
        • e.g., certificate with MFA
      • uses EAP when a device connects to an Ethernet switch port, WAP, or VPN gateway
    • a AAA protocol, such as Remote Authentication Dial-In User Service (RADIUS)
      • allows the authenticator and authentication server to communicate authentication and authorization decisions
      • authenticator is a RADIUS client
      • authentication server is a RADIUS server
  • configured by selecting WPA2-Enterprise or WPA3-Enterprise as the security method on the access point

How it Works

How it Works - General Workflow

Enterprise authentication uses the following general workflow:

  1. When a wireless station (a supplicant) requests an association, the AP enables the channel for EAPoW traffic only.
  2. It passes the credentials submitted by the supplicant to an Authentication, Authorization, and Accounting (AAA) server on the wired network for validation.
  • The AAA server (not the access point) determines whether to accept the credential.
  1. When the user has been authenticated, the AAA server transmits a master key (MK) to the wireless PC or laptop.
  • The wireless station and authentication server then derive the same pairwise master key (PMK) from the MK.
  1. The AAA server transmits the PMK to the access point.
  • The wireless station and access point use the PMK to derive session keys, using either the WPA2 4-way handshake or WPA3 SAE methods.

Detailed

  • When a host connects to an 802.1X-enabled switch port
    • switch opens the port for the EAP over LAN (EAPoL) protocol only
      • only allows full data access once the host is authenticated
    • switch receives an EAP packet with the supplicant’s credentials
      • are encrypted and cannot be read by the switch
    • switch uses the RADIUS protocol to send the EAP packet to the authentication server
    • authentication server can access the directory of user accounts and can validate the credential
    • If authentication is successful,
      • it informs the switch that full network access can be granted

RADIUS

  • if the AAA protocol is RADIUS
    • switch is configured as a RADIUS client by
      • specifying the IP address or host name of the RADIUS server
      • setting a shared secret
    • RADIUS server
      • is positioned in a secure zone within the private network
      • stores or obtains account details
      • can validate authentication credentials
        • switch does not have to store auth credentials
        • switch forwards auth data between the server and supplicant device
      • uses the shared secret to validate RADIUS clients

Graph View

Backlinks