IEEE 802.1X

from Wikipedia, the free encyclopedia
A WLAN client (Wireless Node WN) must be authenticated before it can access other LAN resources. To do this, the access point (AP) asks the authentication server (AS).
Classification of the standard in the IEEE model

IEEE 802.1X is a standard for authentication in computer networks .

The IEEE 802.1X standard provides a general method for authentication and authorization in IEEE 802 networks. At the network access, a physical port in the LAN , a logical IEEE 802.1Q VLAN or a WLAN , a participant is authenticated by the authenticator, who uses an authentication server ( RADIUS server ) to check the authentication information transmitted by the participant ( supplicant ) and, if necessary, the Permits or denies access to the services offered by the authenticator (LAN, VLAN or WLAN).

This possibility of using an authentication server also enables locally unknown participants to access the network. For example, members of many universities can use eduroam at other universities without having to set up guest access or the like that is open to all.

The standard recommends the Extensible Authentication Protocol (EAP) or the PPP -EAP- TLS Authentication Protocol for authentication, as no separate authentication protocols are defined.

According to the IEEE, a capital letter must be used for the notation, as IEEE 802.1X is a stand-alone standard and not a supplement to an existing standard.

Supplicant

Supplicants (German petitioners ) are all IEEE 802.1X authentication enabled devices (s. IEEE 802.1X Article 5.1 "Requirements") that must be authenticated in accordance network rule on the network before the network device access is allowed on the resources of the network.

In practice, the supplicant is implemented in the form of a software implementation. You can also use the free supplicant implementations from the Open1x or SecureW2 projects to set up an IEEE 802.1X infrastructure. However, not all network components (such as network printers) are able to authenticate themselves on the network via IEEE 802.1X. Often old and even newer hardware lack the IEEE 802.1X supplicant implementation. With the introduction of IEEE 802.1X in production systems, this fact represents the greatest point of criticism of IEEE 802.1X. B. the "MAC bypass" function ready. This makes it possible to authenticate the network device using the MAC address. This means that devices that do not have an IEEE 802.1X supplicant implementation can also be authenticated.

Authenticator

The authenticator exists between the supplicant and the network to be protected. The role of the authenticator is to check the authenticity of the supplicant, similar to the role of a doorman in the context of an ID check. If the supplicant can successfully identify himself to the authenticator with valid credentials (in English: "Proof of authorization" or "legitimation"), the supplicant is granted access to the network by the authenticator. If the authentication fails, access is denied. In practice, the authenticator can be an IEEE 802.1X-capable switch, router or IEEE 802.11 WLAN access point. The credentials are i. d. Usually requested by the authenticator at an "Authentication Server" (AS). In the IEEE 802.1X model, the authentication server is in a trustworthy network.

Port Access Entity: PAE

The PAE, which in practice can be presented as a port on the switch, implements a state machine in which the respective authentication status between supplicant and authenticator is always mapped on the controlled port. The IEEE 802.1X provides three possible access modes for supplicants for the access setting in the PAE:

  • ForceUnauthorized: The controlled port is in "not authorized" mode. Any access by a supplicant is blocked. It does not matter whether the supplicant can successfully authenticate itself or not, access is always blocked.
  • ForceAuthorized: The opposite of ForceUnauthorized. The controlled port is in "authorized" mode. The supplicant is always granted access. It is not important whether the supplicant can authenticate itself to the authenticator; access is always permitted. This mode is interesting for the practical setup of IEEE 802.1X switches. With the activation of the IEEE 802.1X authentication in connection with the ForceAuthorized mode z. B. successive activation of IEEE 802.1X is possible. In ForceAuthorized mode, e. For example, internal tests for IEEE 802.1X functionality can be carried out on the switch before the productive “Auto” mode is activated, which forces all supplicants to authenticate.
  • Auto: Requires successful authentication from the supplicant. If the supplicant has successfully authenticated itself, access is granted, otherwise it remains blocked.

The PAE can assume a supplicant or authenticator functionality.

Authentication Server (AS)

The AS provides the authenticator with an authentication service. The AS is usually installed in the protected network and does not need to be authenticated. In practice, the AS can be a RADIUS server service such as B. provides the FreeRadius project freely. If the Windows 2000 or Windows 2003 operating systems are used, a RADIUS server can be operated with the "Internet Authentication Service" (IAS). Every major manufacturer of switches and routers also provides its own RADIUS implementation, please refer to the product range of the respective manufacturer.

The credentials to be checked can be located directly on the AS in the form of a simple text file , but the AS can also access a database service through the database driver . In theory, the back-end options are unlimited for an AS. In practice, an LDAP connection is often preferred. The advantage is obvious: Existing domain user IDs are already available in the Active Directory Service (ADS) of Microsoft operating systems. In the case of free LDAP implementations, it can also be the OpenLDAP3 service that is suitable for LDAP operation. The diverse backend options of the RADIUS server are therefore also advantages for the use of IEEE 802.1X. This example clearly shows that the IEEE 802.1X standard is based on existing interfaces and is therefore trying to be practical.

In the context of RADIUS terminology, the term Network Access Server (NAS) is used instead of the term “Authenticator”. Dialing computers consider the NAS to be a server. From the point of view of the RADIUS server, however, the NAS is a client.

The range of services and the user ID (assignment of the VLAN)

The RADIUS Access Accept messages from the Authentication Server to the Authenticator are a major advantage when using IEEE 802.1X. The RFC 2869 "RADIUS Extensions" describes a large number of attributes that are sent from the AS to the authenticator. Three interesting attributes are called "Tunnel-Type", "Tunnel-Medium-Type" and "Tunnel-Private-Group-Id". At the end of the RADIUS authentication, the RADIUS server sends an Access-Accept message to the network access server. If these three attributes are appended to the Access Accept message, the NAS is requested to assign the supplicant to the relevant VLAN. The VLAN-ID is exactly in the attribute "Tunnel-Private-Group-Id" of the response packet. The NAS switches the port from the guest VLAN to the VLAN intended for the supplicant. In practice it means that based on the user information that the authenticator sends to the AS, an adapted range of services for the supplicant can take place in return. On Linux, BSD or Windows servers it is now relatively easy to implement several VLANs and thus provide a selection of services for each VLAN.

Operating systems with IEEE 802.1X support

With other operating systems, software from another manufacturer can be retrofitted in order to use the function. The Open1X project aims to support many systems with its own 802.1X implementation. It is also possible to use network components that allow web-based authentication.

Vulnerabilities in 802.1X-2001 and 802.1X-2004

Several devices per connection

In the summer of 2005, Microsoft's Steve Riley published an article in which he pointed out a serious vulnerability in the 802.1X protocol that is based on a man-in-the-middle attack . In summary, the loophole is based on the fact that only the beginning of the connection is secured with 802.1X, but that after authentication it is possible for potential attackers to abuse the opened connection for their own purposes, provided the attacker succeeds in physically breaking into the Smuggle connection. A workgroup hub with an authenticated computer or a laptop connected between the authenticated computer and the secure port can be used for this purpose. Riley suggests using IPsec or a combination of IPsec and 802.1X for wired networks .

EAPOL logoff frames are transmitted by the 802.1X supplicant in plain text and do not contain any information known only to the sender. Hence, they can easily be spoofed by a connected device to perform a DoS attack ; this also works via WLAN. During an EAPOL logoff attack, a malicious third party with access to the authenticator's medium repeatedly sends forged EAPOL logoff frames with the target's MAC address. Based on the MAC address, the authenticator assumes that the target device wants to end the connection. It closes the authenticated session of the target device and thus blocks the data stream of the target device. The target device is logically removed from the network.

The 2010 adopted 802.1X-2010 specification meets these vulnerabilities by per MACsec IEEE 802.1AE the data between logical ports to settle above the physical ports, and by IEEE 802.1AR be encrypted authenticated (Secure Device Identity / DevID) devices .

As a workaround pending the spread of these enhancements, some manufacturers have extended the 802.1X-2001 and 802.1X-2004 protocols to allow multiple simultaneous authentication sessions on a single port. While this prevents accidental entry of unauthenticated MAC addresses on 802.1X authenticated ports, it does not prevent a malicious device from stealing data, accepting the authenticated MAC address, or performing an EAPOL logoff attack.

Individual evidence

  1. Definition from IEEE Standard 802.1X-2004 , Chapter 8.2.2.2, Global variables, page 46, definition p) 1 to 3 (PDF, 1007 KB, English; file will be sent free of charge by email)
  2. KB 313664 Using 802.1x authentication on client computers that are running Windows 2000 , Microsoft Knowledge Base
  3. There are problems getting the group policy objects, roaming profiles and logon scripts from a Windows 2003 domain controller . Support.microsoft.com. September 14, 2007. Retrieved August 4, 2011.
  4. Open1X homepage , Sourceforge
  5. Steve Riley's article on the 802.1X vulnerabilities . Microsoft.com. August 9, 2005. Retrieved February 10, 2010.
  6. IEEE 802.1X-2001, § 7.1.
  7. February 2, 2010 Early Consideration Approvals . Standards.ieee.org. Retrieved February 10, 2010.
  8. IEEE 802.1: 802.1X-2010 - Revision of 802.1X-2004 . Ieee802.org. January 21, 2010. Retrieved February 10, 2010.

Web links