The Stages of 802.1X Authentication
802.1X Authentication Protocol
The 802.1X authentication protocol is an advanced cryptographic network protocol used to protect wired and wireless networks. It ensures the security of data and the identification of any device or person attempting to enter the network.
IEEE 802.1X is a port-based Network Access Control (PNAC) standard meant to offer an authentication method for network devices connecting to a LAN or WAN. The Extensible Authentication Protocol (EAP) over LAN (also known as “EAPOL” or “EAP over LAN”) is encapsulated in the IEEE 802.1X protocol for message exchange throughout the authentication process.
As a company owner, it is essential to comprehend what this protocol comprises so you can make an educated judgment about its suitability for your network security requirements. Let’s examine what happens behind the scenes when 802.1X is activated on a network and evaluate the need for each step.
802.1X is implemented for the following reasons:
- Network access identifier and credential-based authentication
- Authentication, authorization, and accounting are centralized
- Security for the public network
- Distribution of keys for dynamic encryption
802.1X Authentication Components
The following are the components of the 802.1X network authentication:
- Extensible Authentication Protocol (EAP): This is an 802.1X transport technique used to authenticate supplicants (hosts/PCs) against a backend server (RADIUS) via an authenticator (Switch).
- EAP over LAN (EAPoL): This is used for authentication across a network and is part of the 802.1X standard (Port-Based Network Access Control) Supplicant and Authenticator’s encapsulation protocol.
- RADIUS Protocol: The AAA protocol that EAP uses.
802.1X Authentication Roles
802.1X network devices can employ the following roles:
- Supplicant: This is the application running on the endpoint or the client’s device. It exchanges messages with the authenticator over EAPoL and issues authentication tokens. Various clients such as Windows, macOS, and Cisco AnyConnect are all examples of supplicants. These supplicants are compatible with 802.1X, which allows for machine and user authentication.
- Authenticator: This is a network access device (NAD) such as a switch, wireless access point, or wireless LAN controller that serves as the authenticator (WLC). It limits network access depending on the authentication state of the user or endpoint. The authenticator also works as a liaison, transforming Layer 2 EAP-encapsulated packets from the supplicant into RADIUS packets for transmission to the authentication server.
- Authentication server: This is responsible for authenticating clients. Authentication servers check the legitimacy of the endpoint and report back to the authenticator with approval or denial.
802.1X Authentication Process
Let’s take a closer look at the 802.1X authentication process.
- For client authentication, the client/supplicant initiates an EAP session by sending an EAP-start message.
- The EAP-request identity message is sent from the access point.
- By responding with an EAP-response packet, the client divulges its identity to the authentication server.
- To ensure that the client is who they say they are, the server employs a particular authentication procedure.
- In response to the access point’s authentication request, the authentication server will either deliver an accept message or a refuse message.
- The AP will either deliver the client an EAP-success packet or a reject packet, depending on the outcome of the authentication process.
- With the client’s port now in an allowed state, the access point will continue to relay traffic once the authentication server has accepted the client.
802.1X Authentication Methods
IEEE 802.1X is a standard that establishes a method of wireless network authentication. During authentication, 802.1X makes use of the Extensible Authentication Protocol (EAP) to send messages between peers.
The 802.1X framework supports a number of authentication protocols, including EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAP-Tunneled TLS (EAP-TTLS).
In addition to enabling the client to authenticate the network, these protocols also enable the network to verify the client’s identity. If you want to learn more, check out this comparison of enterprise authentication protocols using WPA2 and WPA.
Protected EAP (PEAP) and EAP-Tunneled TLS (EAP TTLS) are two examples of EAP protocols that are known to use a shared password for network authentication. An attacker may be able to guess the password by selecting it from a list of probable passwords, such as a dictionary.
On the other hand, EAP-ultimate TLS’s objective is to just offer better network security by means of digital authentication; i.e., certificates.
802.1X Authentication Flow
Now let’s look at the 802.1X authentication flow in more detail.
EAP-TLS Authentication
Today, the Extensible Authentication Protocol is one of the most used authentication mechanisms used to deliver client information over the air through 802.1X (EAP). In addition, EAP-TLS is the only EAP protocol that provides certificate-based authentication, which is regarded as the gold standard for authentication.
The procedures involved in the 802.1X EAP-TLS authentication flow and how they result in a secure network connection are described in the sections that follow.
Three parties are involved in EAP-TLS authentication: the supplicant (user’s device), the authenticator (switch or controller), and the authentication server (RADIUS server). Initialization, commencement, negotiation, and authentication are the four major categories that comprise the authentication procedure.
Let’s take a look at each of these categories:
- Initialization: The authenticator detects a supplicant attempting to access the secure network.
- Initiation: Essentially, this is a way for the supplicant, authenticator, and authentication server to say ‘hello’ to each other.
- Negotiation: When a user requests access to a network, the supplicant and the authentication server trade identifiers.
- Authentication: Now the verified user may join the 802.1X network and begin browsing in a secure mode.
EAP-TLS authentication is often quicker than authentication based on credentials because it happens automatically without user intervention. When the device is within range of the secure network, it will automatically establish and finish the connection.
Deep-Dive Into EAP-TLS Authentication Flow
This image illustrates a step-by-step breakdown of the 802.1X EAP-TLS authentication mechanism.
- Public key infrastructure (PKI) certificates are provided to supplicants on the client side and public key infrastructure certificates are supplied to supplicants off-band on the server side.
- As a first step in establishing a secure connection, both the supplicant and the authentication server exchange ‘Hello’ and then prepare their certificates for the authentication process.
- Establish 802.11 Data Link
- The supplicant establishes a connection to the authenticator. This will allow for a secure exchange of information between the two parties.
- EAPoL Start
- The acronym EAPoL (Extensible Authentication Protocol over LAN) denotes that data may be transmitted between all three parties through a secure LAN connection. This is also where the authentication technique — in this example, EAP-TLS — is decided.
- Identity Section
- 4a. Identity Request
- The supplicant requests the identity of the authenticator to ensure it is sending the client certificate to the correct place.
- 4b. Identity (anonymous) Response
- The authenticator requests that the supplicant identify itself.
- 4a. Identity Request
- RADIUS Access Request (anonymous)
- The information that identifies the supplicant and authenticator is sent to the RADIUS to confirm their identity and allow for authenticating information to be sent.
- 5a. Server Certificate
- The RADIUS sends its server certificate to confirm its identity through server certificate validation.
- 5b. Client Certificate
- The supplicant validates the identity of the authentication server certificate. After validation, the supplicant sends its client certificate.
- RADIUS Access (or Reject)
- The RADIUS authentication server accepts the client certificate and verifies the client’s identity as an authorized network user. RADIUS delivers an Access or Reject message to the authenticator based on the user’s certificate.
- EAP Success (or Failure)
- According to the RADIUS Access or Reject message, the authenticator either grants the supplicant access to the network or denies access. If the reply is “Success,” a port on the switch is opened so the supplicant may communicate directly with the authentication server.
- Message 1: EAPOL-Key
- Message 2: EAPOL-Key
- Message 3: EAPOL-Key
- Message 4: EAPOL-Key
- The next step is a series of messages known as the EAPOL-Key exchange. This is a 4-step handshake between the authenticator and supplicant that generates encryption keys. These keys are used to encrypt information that will be sent over the wireless connection and ensure that all ongoing network communications are encrypted and cannot be read by outside parties.
- Linked here is a detailed list of keys that are generated during this handshake.
- Encrypted Channel
- The end result of EAP-TLS authentication is an encrypted channel of communication. The user is ready to access the secure network and utilize all resources available to them.
Cloud-Based RADIUS Authentication
The proliferation of cloud computing and telecommuting has resulted in the transmission of sensitive passwords outside of corporate networks, where they are exposed to Over-the-Air attacks. This is why major companies like Microsoft and security organizations like CISA have advocated for a shift to certificate-based network authentication in place of passwords.
SecureW2’s Cloud RADIUS gives you the power to control network access based on a wide range of parameters, such as the kind of user, the time of day, and the device they’re using. Moreover, since our Cloud RADIUS is vendor-neutral, you can use it with any IDP you like. With real-time user lookups against Azure, Okta, and Google Workspace, Cloud RADIUS gives you the power to enforce rules in a way that no other solution can.
Through our various cutting-edge capabilities, such as Azure multi-factor authentication, Intune automatic revocation, Windows Hello for Business login, and many more, integrating with SecureW2 expands the range of customization possibilities available to you.
Click here to inquire about pricing.
