802.1X Offers Authentication and Key Management

With 802.11’s optional WEP (Wired Equivalent Privacy), all access points and
client radio NICs on a particular wireless LAN must use the same encryption
key. Each sending station encrypts the body of each frame with a WEP key before
transmission, and the receiving station decrypts it using an identical key upon
reception. This process reduces the risk of someone passively monitoring the
transmission and gaining access to the information that the frames are carrying.

A major underlying problem with the existing 802.11 standard is that the keys
are cumbersome to change. If you don’t update the WEP keys often, an unauthorized
person with a sniffing tool, such as AirSnort or WEPcrack, can monitor your
network for less than a day and decode the encrypted messages. In order to use
different keys, you must manually configure each access point and radio NIC
with new common keys.

Products based on the 802.11 standard alone offer system administrators no
effective method to update the keys. This might not be too much of concern with
a few users, but the job of renewing keys on larger networks can be a monumental
task. As a result, companies either don’t use WEP at all or maintain the same
keys for weeks, months, and even years. Both cases significantly heightens the
wireless LAN’s vulnerability to eavesdroppers.

802.1X in action

The use of IEEE 802.1X offers an effective framework for authenticating and
controlling user traffic to a protected network, as well as dynamically varying
encryption keys. 802.1X ties a protocol called EAP (Extensible Authentication
Protocol) to both the wired and wireless LAN media and supports multiple authentication
methods, such as token cards, Kerberos, one-time passwords, certificates, and
public key authentication. For details on EAP specifically, refer to IETF’s RFC 2284.

Initial 802.1X communications begins with an unauthenticated supplicant (i.e.,
client device) attempting to connect with an authenticator (i.e., 802.11 access
point). The access point responds by enabling a port for passing only EAP packets
from the client to an authentication server located on the wired side of the
access point. The access point blocks all other traffic, such as HTTP, DHCP,
and POP3 packets, until the access point can verify the client’s identity using
an authentication server (e.g., RADIUS). Once authenticated, the access point
opens the client’s port for other types of traffic.

To get a better idea of how 802.1X operates, the following are specific interactions
that take place among the various 802.1X elements:

1.      The client sends an EAP-start message. This
begins a series of message exchanges to authenticate the client; think of this
as a group of visitors entering the front gate of a theme park and the group’s
leader (i.e., client) asking the gatekeeper (i.e., access point) whether they
can enter.

2.      The access point replies with an EAP-request
identity message. In the case of the theme park, the gatekeeper will ask the
leader for their name and drivers license.

3.      The client sends an EAP-response packet containing
the identity to the authentication server. The leader in our example will provide
their name and drivers license, and the gatekeeper forwards this information
to the group tour manager (i.e., authentication server) who determines whether
the group has rights to enter the park.

4.      The authentication server uses a specific authentication
algorithm to verify the client’s identity. This could be through the use of
digital certificates or other EAP authentication type. In the case of our example,
this process simply involves verifying the validity of the leader’s drivers’
license and ensuring that the picture on the license matches the leader. In
our example, we’ll assume the leader is authorized.

5.      The authentication server will either send
an accept or reject message to the access point. So the group
tour manager at the theme park tells the gatekeeper to let the group enter.

6.      The access point sends an EAP-success packet
(or reject packet) to the client. The gatekeeper informs the leader that the
group can enter the park. Of course the gatekeeper would not let the group in
if the group tour manager had rejected the group’s admittance.

7.      If the authentication server accepts the client,
then the access point will transition the client’s port to an authorized state
and forward additional traffic. This is similar to the gatekeeper automatically
opening the gate to let in only people belonging to the group cleared for entry.

The basic 802.1X protocol provides effective authentication regardless of whether
you implement 802.11 WEP keys or no encryption at all. Most of major wireless
LAN vendors, however, are offering proprietary versions of dynamic key management
using 802.1X as a delivery mechanism. If configured to implement dynamic key
exchange, the 802.1X authentication server can return session keys to the access
point along with the accept message. The access point uses the session keys
to build, sign and encrypt an EAP key message that is sent to the client immediately
after sending the success message. The client can then use contents of the key
message to define applicable encryption keys. In typical 802.1X implementations,
the client can automatically change encryption keys as often as necessary to
minimize the possibility of eavesdroppers having enough time to crack the key
in current use.

802.1X not the whole solution

It’s important to note that 802.1X doesn’t provide the actual authentication
mechanisms. When utilizing 802.1X, you need to choose an EAP type, such as Transport
Layer Security (EAP-TLS) or EAP Tunneled Transport Layer Security (EAP-TTLS),
which defines how the authentication takes place. There are many EAP types,
so we’ll leave details on EAP types to a future tutorial.

The important part to know at this point is that the software supporting the
specific EAP type resides on the authentication server and within the operating
system or application software on the client devices. The access point acts
as a "pass through" for 802.1X messages, which means that you can
specify any EAP type without needing to upgrade an 802.1X-compliant access point.
As a result, you can update the EAP authentication type as newer types become
available and your requirements for security change.

802.1X is the way to go

The use of 802.1X is well on its way to becoming an industry standard, and
you would be wise to include it as the basis for your wireless LAN security
solution. Windows XP implements 802.1X natively, and some vendors support 802.1X
in their 802.11 access points. Wireless LAN implementations of 802.1X fall outside
the scope of the 802.11 standard; however, the 802.11i committee is specifying
the use of 802.1X to eventually become part of the 802.11 standard.

To download the 802.1X standard, go to http://www.ieee802.org/1/pages/802.1x.html.

Jim Geier provides independent consulting
services
to companies developing and deploying wireless network solutions.
He is the author of the book,
Wireless LANs (2nd Edition),
and regularly instructs workshops
on wireless LANs.

News Around the Web