Securing a Local Network Infrastructure Using IEEE 802.1x
The 802-LAN/MAN-Standardization Committee of the Institute of Electrical and Electronics Engineers (IEEE) develops standards for Local Area Networks (LAN) and Metropolitan Area Networks IEEE-802 protocol (MAN) . The most widely used standards are those of the Ethernet suite suite (IEEE 802.3), the Token-Ring (802.5) and the 802.11 series standards for wireless LANs (WLAN) .
For the security of access to such networks a subgroup of the 802 committee is working on a standard labelled IEEE 802.1x [IEE01] that aims to restrict access to LAN services to those users or devices with proper authorization. This standard can basically be used with diverse technologies of the 802 series.
The basic characteristic of the standard is port-based access control control , which is used to perform authentication and authorisation of devices connected to LAN ports. A LAN port is a logical access point with point-to-point connection characteristics. It could be the access port of a Fast-Ethernet switch or the logical access point of a WLAN base station. The IEEE 802.1x standard conceptually distinguishes between two logical ports (also see Figure 10.1): an uncontrolled port, which enables a device to prove its identity through an authentication exchange, and a controlled port, which allows proven authenticated devices to access the general data transmission service of the local area network.
Three principal roles are distinguished in the authenticity verification of connected devices:
– A device that wants access to the data transmission service of the local area network finds itself in the role of supplicant when it is providing and proving its identity during the authentication exchange.
– The access point of the LAN infrastructure, such as an Ethernet-Switch, functions as an authenticator demanding that a device provide and prove its identity.
– The authenticator does not itself verify the credentials provided by a supplicant during the authentication exchange. Instead, it forwards them to an authentication server that then notifies it of the results of the authentication verification. Prior to a device’s successful authentication of itself to the authenticator of a local area network, it only has access to an uncontrolled port. This port is uncontrolled in the sense that it can be accessed even before authentication has been successfully performed. However, it only allows authentication message exchange and cannot be used for the transmission of arbitrary data units. An authentication exchange can be initiated by a supplicant as well as by an authenticator. The controlled port is opened as soon as the exchange is successfully completed.
For the exchange of EAP protocol data units IEEE 802.1x specifies the protocol EAP over LANs (EAPOL), which mainly defines techniques for the encapsulation of EAP-PDUs into the payload of transmission frames of the 802 protocol suite. The encapsulated PDUs are then exchanged between the Port Access Entities (PAE) of the supplicant and the authenticator. Conventional RADIUS messages can be used between the authenticator and the authentication server. In summary it should be noted that IEEE 802.1x primarily access control for LANs provides access control for the transmission services offered by local area networks. However, the standard does not define how to secure actual data transmission from passive or active attacks and additional security protocols are therefore required.
