802.1X Port Access Control for WLANs

Securing any kind of network involves allowing authorized parties to access
traffic and networked resources (e.g., servers, hosts) while blocking outsiders.
One essential ingredient in this recipe: permitting or denying physical attachment
to the underlying communications medium.

In Ethernet LANs, this has long been accomplished by disabling unused RJ-45
jacks and latching Media Access Control (MAC) addresses
to Ethernet switch ports. Early wireless LANs followed suit by using access
control lists (ACLs) to permit associations by known MAC addresses while rejecting
all others. MAC ACLs are quite easy to understand and configure. However, ACLs
become difficult to manage in large/dynamic networks and are easily circumvented
by network interface cards (NICs) with programmable addresses.

Fortunately, there is a better answer: the LAN Port Access Control framework
defined by the IEEE 802.1X standard. This article explains
the purpose of 802.1X and the role it can play in your network.

Why LAN Port Access?

MAC forgery is possible on wired and wireless LANs (WLANs), but the risk is
greater on wireless. In a wired Ethernet, intruders can’t easily learn valid
MAC addresses. An unsupervised visitor might look at a PC’s cable tag, plug
his own laptop into the jack used by that PC, and reconfigure his NIC to impersonate
the PC and gain access. But to pull this off, the intruder needs physical access
to the facility and communications medium.

In a WLAN, eavesdroppers within several hundred feet of an access point can
use freeware sniffers to capture traffic. Even when data is encrypted for privacy,
eavesdroppers can record MAC addresses from frame headers. A patient intruder
can wait until later to reconfigure his NIC to impersonate a legitimate wireless
station. An impatient intruder can reconfigure his NIC right away, send a disassociate
request to kick the legitimate station off the air, then immediately reassociate
with the access point. Such attacks don’t require insider access to your facility
— intruders can be located in nearby parking lots, public hallways, stairways,
bathrooms, or adjacent offices.

More robust access control can benefit both wired and WLANs. Many companies
also control access at the enterprise firewall or VPN gateway — for example,
permitting packets from known source IPs or prompting user login before permitting
sessions through the firewall/gateway. Higher-layer controls are indeed very
useful, but insufficient when used alone. For example:

  • If your DHCP server hands out IPs to any requesting station, a WLAN intruder
    doesn’t need to do anything extra to pass through an IP-based firewall filter.
  • If you assign static IPs, a WLAN intruder can sniff traffic to learn a valid
    IP — or systematically guess addresses, starting with common private subnets
    like 192.168.0.0.
  • If users are prompted for login/password without encryption, a WLAN intruder
    can sniff that exchange and use dictionary attack tools to obtain the user’s
    password from a captured password hash.
  • Intruders can do damage without penetrating the firewall/gateway by launching
    attacks on access points, switches, and peer stations, attempting to break
    into those systems to steal stored data, or simply flooding the LAN with bogus
    traffic.

Combining LAN access control with higher-layer controls can mitigate these
kinds of threats. If an intruder can’t send data through a LAN port, he can’t
request an IP address from DHCP or systematically guess IPs. If he can’t receive
data from an Ethernet port, he can’t sniff peer traffic or hashed passwords.
Unfortunately, one can’t stop intruders from receiving or sending traffic over
the air. However, port access control can
stop intruders from sending traffic through the access point into adjacent
networks
.

How 802.1X Works

Think of 802.1X as an ON/OFF gate inside Ethernet switches and wireless access
points. This gate starts in the OFF position, handling only 802.1X requests
until a decision is made to grant the station access. At that point, the gate
is thrown into the ON position so that all LAN traffic can be relayed between
the station and the upstream network. Eventually, the station times out or disconnects,
throwing the gate back into the OFF position.

802.1X defines a management protocol that stations use to request LAN port
access. It uses the Extensible Authentication Protocol (EAP) originally defined
for dial-up, but here sent over Ethernet LANs (EAPOL) or over wireless (EAPOW).
The station must first physically connect to the communications medium — an
Ethernet NIC plugs into a jack; a wireless NIC associates with an access point.
The station then sends an "EAP Start" message. This kicks off a flurry
of management messages that ends with "EAP Success" or "EAP Failure"
(see Figure 1).

So far, 802.1X sounds pretty simple, but here’s where the real work happens.
EAP is an envelope that can carry many different kinds of authentication —
challenge/response, one time passwords, SecurID tokens, digital certificates,
etc. What happens between "EAP Start" and "EAP Success"
depends upon the type of authentication being used.

Knock, Knock, Who’s There?

Throughout most of the 802.1X exchange, the switch or access point ("the
authenticator") is just a middle man, relaying EAP messages between the
station ("the supplicant") and a RADIUS server ("the authentication
server"). For example, the station is asked to supply its identity, which
the authenticator relays inside a RADIUS Access-Request. Based on the station’s
identity, the RADIUS server issues a RADIUS Access-Challenge, the content of
which the authenticator relays to the station. And so on, until the RADIUS server
makes a decision to accept or reject the access request.

This 802.1X framework consolidates decision-making at the RADIUS server, so
that ACLs no longer have to be individually configured into every switch or
access point. It also allows stations to identify themselves with credentials
other than MAC address. For example, the station’s identity can be a Windows
login, followed by a CHAP challenge/response to verify the station’s password.
Or the station’s identity can be an X.500 Distinguished Name, bound to a digital
certificate verified via public/private key cryptography. As we shall see, supporting
a wide variety of authentication schemes proves to be both an asset and challenge
for 802.1X deployment.

One More Thing: Here’s Your Key

In WLANs, an additional step follows EAP Success: an EAPOW Key exchange. This
provides the access point and station with secret session keys to be used by
Wired
Equivalent Privacy
(WEP) or Wi-Fi Protected Access
(WPA) to encrypt traffic sent over the WLAN.

The original 802.1X standard used a single EAPOW Key message for this purpose,
but the new improved 802.1X (called 802.1aa) uses a four-way handshake to prevent
man-in-the-middle attacks that might otherwise compromise these keys. After
both ends of the wireless association — the station and the access point —
have session keys, data sent over the air can be encrypted to prevent eavesdropping.

In fact, this relationship between 802.1X and data encryption turns out to
be just as important to WLAN security as controlling access and authenticating
stations. Exchanging session keys with 802.1X is much more resistant to WEP
key cracking than using static, manually-configured shared WEP keys. The desire
to use dynamic, automatically-generated per-session keys is a significant driver
promoting 802.1X deployment, particularly in larger WLANs where managing static
WEP keys is difficult anyway.

Drilling Down Into EAP

At this point, you should have a pretty good idea about where 802.1X fits into
your network and what happens when a station tries to access a LAN using 802.1X.
Deploying 802.1X port access control requires support on all three devices involved
in this exchange: supplicant software on stations, authenticator support in
access point firmware, and an 802.1X-compatible authentication server.

As you might guess, all three devices must support the same versions of 802.1X
and the same authentication methods, and that’s where 802.1X deployment gets
tricky. In particular, you’ll need to find products that support one or more
EAP types — the variations of EAP that support different kinds of authentication.

In part two of this primer, we’ll drill down into available EAP types and learn
how to choose compatible products to deploy 802.1X in your LAN.

News Around the Web