Introduction to 802.1X
The 802.1x standard is a security solution ratified by the IEEE in June 2001 which can authenticate (identify) a user who wants to access a network (whether wired or wireless). This is done through the use of an authentication server.
802.1x is based on the EAP protocol (Extensible Authentication Protocol), as defined by the IETF. This protocol is used for transporting user identification information.
The EAP protocol is centred around the use of an access controller called an authenticator, which either grants or denies a user access to the network. The user in this system is called a supplicant. The access controller is a basic firewall which acts as an intermediary between the user and an authentication server, and requires very few resources to function. For a wireless network, the access point acts as the authenticator.
The authentication server (sometimes called the NAS, for Network Authentication Service or Network Access Service) can approve the user's identity as transmitted by the network controller, and then grant the user access depending on his or her credentials. What's more, this type of server can store and keep track of information related to the users. In the case of a service provider, for example, these features allow the server to bill them based on how long they were connected or how much data they transferred.
The authentication server is most commonly a RADIUS server (Remote Authentication Dial-In User Service), a standard authentication server defined by RFC 2865 and 2866, but any other authentication service may be used instead.
The following is a summary of how a secure network using the 802.1x standard works:
- The access controller, having previously received a connection request from the user, sends an identification request;
- The user sends a response to the access controller, which routes the response to the authentication server;
- The authentication server sends a "challenge" to the access controller, which transmits it to the user. The challenge is a method of establishing identification. If the client cannot evaluate the challenge, the server tries another one, and so on;
- The user responds to the challenge. If the user's identity is correct, the authentication server sends approval to the access controller, which allows the user onto the network or part of the network, depending on the rights granted. If the user's identity could not be verified, the authentication server sends a refusal message, and the access controller denies the user access to the network.
Encryption key exchange
Besides authenticating users, the 802.1x standard provides users with a secure way to exchange encryption keys, in order to improve overall security.