IEEE 802.1x and EAP Primer

IEEE 802.1X enables authentication and key management for IEEE 802 networks.

It is based on the Extensible Authentication Protocol (EAP, RFC 2284), a PPP extension.

IEEE 802.1X can be used with any 802 LAN physical medium. It is not exclusively for wireless LANs.

EAP messages are encapsulated directly in 802.1X messages, with no additional overhead

The acronyms EAPOL and EAPOW refer to EAP over LAN and EAP over Wireless, respectively.

IEEE 802.1X authentication for wireless LANs has three main components:

Supplicant (e.g., client software);
Authenticator (e.g., access point);
Authentication server (e.g., a RADIUS/AAA server)

Figure 1 illustrates the components of 802.1X:

The Extensible Authentication Protocol (EAP) operates in this fashion:

A client/supplicant tries to connect to an AP/authenticator using an 802.1x ASSOCIATE request.
The AP/authenticator detects the client and enables the client's port, but sets the port state to UNAUTHORIZED. In this state, all client traffic except 802.1X messages are blocked.
The AP/authenticator returns an 802.1x ASSOCIATE Response and waits.
The client/supplicant transmits an EAP-START message.
The AP/authenticator replies with an EAP-REQUEST IDENTITY message, to obtain the client's identity.
The client/supplicant provides its identity in an EAP-RESPONSE message.
The AP/authenticator forwards the client's EAP-response packet to the authentication server.
The authentication server authenticate clients using a chosen authentication algorithm (OTP, EAP-TLS, LEAP,...).
If the authentication server verifies the supplicant's credentials, it returns an ACCEPT message to the AP/authentiator, else the server returns a REJECT message.
The AP/authenticator processes an ACCEPT response by issuing an EAP SUCCESS message to the client/supplicant, and changing the client port to an AUTHORIZED state. The client may now use the wireless LAN. [Note that the AP can be configured/directed to filter messages on this port, e.g., to allow only specific (application) traffic.])
The authenticator processes a REJECT message by issuing an EAP FAILURE response to the client, and the port remains in the UNAUTHORIZED (blocked) state.
In the EAP SUCCESS case - and when encryption is used on an 802.11 association between a client and an AP - the authenticator may pass global key information to the supplicant. 802.1x only provides the ability to pass this information, but leaves the encoding and semantics to external standards.
When the client terminates its session, it issues an EAP LOGOFF message. The APsets client port to UNAUTHORIZED (blocked).

Figure 2 illustrates the 802.1x message exchange:

You can find more information about 802.1X, EAP, and wireless security at Lisa Phifer's WLAN CORner

For more details, read 802.1X Port Access Control for WLANs, Parts One and Two (Wi-Fi Planet, September 5^th and 10^th, 2003).

Verify your Comment

Previewing your Comment

Posted by: |

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:

Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

The Security Skeptic

The Security Skeptic blogs about all matters related to Internet Security, from domain names (DNS), firewalls and network security to phishing, malware and social engineering.

TrackBack

Comments

Verify your Comment

Previewing your Comment

Post a comment

FEATURED

Search

Categories

Recent Posts

Worth A Look

The Skeptic recommends: