802.1x is a standardized framework defined by the IEEE that is designed to
provide port-based network access. 802.1x performs port-level authentication of
network clients by using information unique to the client and with credentials
known only to the client. The 802.1x framework defines three roles in the
authentication process
:
-
Supplicant – The endpoint that is seeking network access is known as
the supplicant. The supplicant may be an end user device or a standalone
device, such as an IP phone.
-
Authenticator – The device to which the supplicant directly connects
and through which the supplicant obtains network access permission is known as
the authenticator.
-
Authentication server – The authenticator acts as a gateway to the
authentication server, which is responsible for actually authenticating the
supplicant.
The authentication process consists of exchanges of Extensible
Authentication Protocol (EAP) messages. This exchange occurs between the
supplicant and the authentication server. The authenticator acts as a
transparent relay for this exchange and as a point of enforcement for any
policy configuration instructions the authentication server may send back as a
result of the authentication process.
802.1x and EAP
An
alternative wireless LAN (WLAN) security approach focuses on developing a
framework for providing centralized authentication and dynamic key
distribution. This approach is based on the IEEE 802.11 Task Group i end-to-end
framework using 802.1x and EAP to provide this enhanced functionality. Cisco
has incorporated 802.1x and EAP into its Cisco Wireless Security Suite. The
three main elements of an 802.1x and EAP approach follow:
- Mutual authentication between the client and the RADIUS authentication
server
- Encryption keys that are dynamically derived after authentication
- Centralized policy control, where session time-out triggers
re-authentication and new encryption key generation
When these features are implemented, a wireless client that associates
with an access point cannot gain access to the network until the user performs
a network logon. After association, the client and the network access point or
RADIUS server exchange EAP messages to perform mutual authentication, with the
client verifying the RADIUS server credentials, and vice versa. An EAP
supplicant is used on the client machine to obtain the user credentials. Upon
successful client and server mutual authentication, the RADIUS server and
client then derive a client-specific Wired Equivalent Privacy (WEP) key to be
used by the client for the current logon session. User passwords and session
keys are never transmitted in the clear over the wireless link.