Scribd
Upload
210 views21 pages

Understanding 802.1x Authentication

802.1x defines a standard for authenticating devices to an Ethernet network. It allows devices to authenticate using EAP over LANs. Common EAP types used with 802.1x include EAP-MD5, EAP-TLS, EAP-TTLS, and EAP-PEAP. EAP-TLS and EAP-TTLS provide keying material for encryption, while EAP-MD5 does not. Xsupplicant is an open source 802.1x client for Linux that supports several EAP types, while Windows includes a native 802.1x client.

Uploaded by

api-3710188
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Topics covered

  • EAP-PEAP,
  • EAP-MD5,
  • EAPoL-Key,
  • EAP-TLS,
  • General Information,
  • EAP Types Comparison,
  • EAP-TTLS,
  • EAP-TTLS Benefits,
  • Layer 2 Network,
  • Windows Compatibility
210 views21 pages

Understanding 802.1x Authentication

802.1x defines a standard for authenticating devices to an Ethernet network. It allows devices to authenticate using EAP over LANs. Common EAP types used with 802.1x include EAP-MD5, EAP-TLS, EAP-TTLS, and EAP-PEAP. EAP-TLS and EAP-TTLS provide keying material for encryption, while EAP-MD5 does not. Xsupplicant is an open source 802.1x client for Linux that supports several EAP types, while Windows includes a native 802.1x client.

Uploaded by

api-3710188
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Topics covered

  • EAP-PEAP,
  • EAP-MD5,
  • EAPoL-Key,
  • EAP-TLS,
  • General Information,
  • EAP Types Comparison,
  • EAP-TTLS,
  • EAP-TTLS Benefits,
  • Layer 2 Network,
  • Windows Compatibility

802.

1x

Chris Hessing
Head of Networking
University of Utah Marriott Library
[Link]@[Link]
What is 802.1x?
● IEEE 802.1x Defines :
– A way to authenticate a user or
machine to the network.
– How to carry an EAP conversation
over a layer 2 network.
– Extensions to provide keying
information to wireless clients.
Where can 802.1x be used?
● 802.1x was designed to be used in any
environment where the idea of a port
can be abstracted.

Authenticated Unauthenticated

User
Terminology
● Authentication Server
– The server that will verify the credentials a
user provides to the network. This is usually
a RADIUS server.
● Authenticator
– A network device that will take information
from the supplicant, and translate it in to the
format needed by the authentication server.

Supplicant
– The client application that provides
credential information to the authenticator.
EAP over LANs (EAPoL)
● Sometimes also called EAP over
Wireless (EAPoW)
● EAPoL defines a set of packets that
will carry pieces of the authentication.
– EAP-Packet
– EAPoL-Start
– EAPoL-Logoff
– EAPoL-Key
– EAPoL-ASF-Alert
EAP over LANs (EAPoL)
● EAP-Packet
– The most common packet in 802.1x
– Carries the entire EAP conversation
● EAPoL-Start
– Instructs the authenticator to begin an
authentication.
● EAPoL-Logoff
– Notifies the authenticator that the user is
logging off.
● EAPoL-Key
– Carries information to be used as a
wireless encryption key.
EAPoL Conversation
EAP Types
● Not all EAP types provide keying
material for encryption on wireless!
● Types, such as TLS, TTLS, and PEAP
do provide keying material.
● Types such as EAP-MD5, EAP-OTP,
and EAP-GTC do NOT provide keying
material.

Select your EAP types carefully!
Common EAP Types
● There are four EAP types that are the
most common.
– EAP-MD5
– EAP-TLS
– EAP-TTLS
– EAP-PEAP
● LEAP is another common type, but
isn't compliant with the EAP standard!
EAP-MD5
● One of the most simple EAP types that
can be used.
● Doesn't create keying material!
● Okay for wired LANs.
EAP-TLS
● Probably one of the most secure
methods that can be used without a
token.
● Makes use of both client and server
certificates, which can make it difficult
to manage.
● Generates keying material!
EAP-TTLS
● Most of the benefits of TLS, without
the need for client certificates.
● Still requires certificates on the
servers.
● Certificates on the server are used to
generate the TLS tunnel.
● In the second phase, RADIUS AVPs are
used to carry username and password.
(EAP Types can also be used.)

Keying material is generated!
EAP-PEAP
● Very similar to TTLS!
● A TLS tunnel is established, and
another EAP session takes place
inside.
● Also requires server certificates.
● Generates keying material!
EAP-SIM
● Currently not very well known.
● Makes use of the Subscriber Identity
Modules used in GSM and GPRS cell
phones.
● Strong authentication, since a token
(SIM), and pin number is required to
complete authentication!

Generates keying material.
Supplicants
Linux Windows XP Windows 2k Windows ME Windows 98 Mac OS X (10.2/10.3)
Xsupplicant Yes No No No No No/No
Microsoft Native No Yes Yes No No No/No
Funk Odyssey No Yes Yes Yes Yes No/No
Meetinghouse Yes Yes Yes Yes Yes Yes/No
Apple Native No No No No No No/Yes

EAP-MD5 EAP-TLS EAP-TTLS EAP-PEAP LEAP EAP-SIM


Xsupplicant Yes Yes Yes Yes* Yes** Yes
Microsoft Native Yes Yes No*** Yes No No
Funk Odyssey Yes Yes Yes Yes Yes No
Meetinghouse Yes Yes Yes Yes Yes No
Apple Native Yes Yes Yes Yes Yes No

* PEAP authentication doesn't work with Microsoft IAS.


** LEAP authentication works, but keying material isn't generated correctly.
*** EAP-TTLS support can be added using the Free Alfa+Ariss plug-in.
XSupplicant
● XSupplicant is the open source 802.1x
client for Linux.
● It currently supports :
– EAP-MD5
– EAP-MS-CHAPv2
– EAP-TLS
– EAP-TTLS
– EAP-PEAP
– EAP-SIM
– LEAP
– EAP-GTC (in CVS)
– EAP-OTP (in CVS)
Xsupplicant Pitfalls
● Not all wireless card drivers for Linux
support the needed extensions for
802.1x.
● Drivers known to work :
– MADwifi (CVS version after 1/13/04)
– Atmel Sourceforge Driver (with patch)
– Orinoco_cs 0.13e driver (with patch)
– Hostap 0.1.2 driver
wEAP Project
● Started this month with the intent of
writing plug-ins for the native
Microsoft client to support EAP types
other than PEAP.
Windows Driver Problems
● Many current Windows XP drivers will
work with the built in 802.1x client.
● Drivers that are not compatible with
Windows XP Zero config will probably
not work.
● Some drivers will work with one
supplicant, but not others.
Additional Information
● dot1x@[Link] - Mailing list for
discussion of 802.1x. Hardware,
software and deployment issues.
● [Link] - Home page
for Xsupplicant.
● [Link] - Home page for
wEAP.

[Link] - Site
containing general information, and
links about 802.1x.
EAPoL Key Messages

You might also like