Identity-Based Networking Services (IBNS)
IEEE 802.1x

802.1x is a standardized framework defined by the IEEE that is designed to provide port-based network access. 802.1x performs port-level authentication of network clients by using information unique to the client and with credentials known only to the client. The 802.1x framework defines three roles in the authentication process :

  • Supplicant – The endpoint that is seeking network access is known as the supplicant. The supplicant may be an end user device or a standalone device, such as an IP phone.
  • Authenticator – The device to which the supplicant directly connects and through which the supplicant obtains network access permission is known as the authenticator.
  • Authentication server – The authenticator acts as a gateway to the authentication server, which is responsible for actually authenticating the supplicant.

The authentication process consists of exchanges of Extensible Authentication Protocol (EAP) messages. This exchange occurs between the supplicant and the authentication server. The authenticator acts as a transparent relay for this exchange and as a point of enforcement for any policy configuration instructions the authentication server may send back as a result of the authentication process.

802.1x and EAP
An alternative wireless LAN (WLAN) security approach focuses on developing a framework for providing centralized authentication and dynamic key distribution. This approach is based on the IEEE 802.11 Task Group i end-to-end framework using 802.1x and EAP to provide this enhanced functionality. Cisco has incorporated 802.1x and EAP into its Cisco Wireless Security Suite. The three main elements of an 802.1x and EAP approach follow:

  • Mutual authentication between the client and the RADIUS authentication server
  • Encryption keys that are dynamically derived after authentication
  • Centralized policy control, where session time-out triggers re-authentication and new encryption key generation

When these features are implemented, a wireless client that associates with an access point cannot gain access to the network until the user performs a network logon. After association, the client and the network access point or RADIUS server exchange EAP messages to perform mutual authentication, with the client verifying the RADIUS server credentials, and vice versa. An EAP supplicant is used on the client machine to obtain the user credentials. Upon successful client and server mutual authentication, the RADIUS server and client then derive a client-specific Wired Equivalent Privacy (WEP) key to be used by the client for the current logon session. User passwords and session keys are never transmitted in the clear over the wireless link.


Web Links