802.1x
Chris Hessing Head of Networking University of Utah Marriott Library
[email protected]
What is 802.1x? ●
IEEE 802.1x Defines : – A way to authenticate a user or machine to the network. – How to carry an EAP conversation over a layer 2 network. – Extensions to provide keying information to wireless clients.
Where can 802.1x be used? ●
802.1x was designed to be used in any environment where the idea of a port can be abstracted.
Unauthenticated
Authenticated
User
Terminology ●
Authentication Server –
●
Authenticator –
●
The server that will verify the credentials a user provides to the network. This is usually a RADIUS server. A network device that will take information from the supplicant, and translate it in to the format needed by the authentication server.
Supplicant –
The client application that provides credential information to the authenticator.
EAP over LANs (EAPoL) ●
●
Sometimes also called EAP over Wireless (EAPoW) EAPoL defines a set of packets that will carry pieces of the authentication. – – – – –
EAP-Packet EAPoL-Start EAPoL-Logoff EAPoL-Key EAPoL-ASF-Alert
EAP over LANs (EAPoL) ●
EAP-Packet – –
●
EAPoL-Start –
●
Instructs the authenticator to begin an authentication.
EAPoL-Logoff –
●
The most common packet in 802.1x Carries the entire EAP conversation
Notifies the authenticator that the user is logging off.
EAPoL-Key –
Carries information to be used as a wireless encryption key.
EAPoL Conversation
EAP Types ●
●
●
●
Not all EAP types provide keying material for encryption on wireless! Types, such as TLS, TTLS, and PEAP do provide keying material. Types such as EAP-MD5, EAP-OTP, and EAP-GTC do NOT provide keying material. Select your EAP types carefully!
Common EAP Types ●
There are four EAP types that are the most common. – – – –
●
EAP-MD5 EAP-TLS EAP-TTLS EAP-PEAP
LEAP is another common type, but isn't compliant with the EAP standard!
EAP-MD5 ●
● ●
One of the most simple EAP types that can be used. Doesn't create keying material! Okay for wired LANs.
EAP-TLS ●
●
●
Probably one of the most secure methods that can be used without a token. Makes use of both client and server certificates, which can make it difficult to manage. Generates keying material!
EAP-TTLS ●
●
●
●
●
Most of the benefits of TLS, without the need for client certificates. Still requires certificates on the servers. Certificates on the server are used to generate the TLS tunnel. In the second phase, RADIUS AVPs are used to carry username and password. (EAP Types can also be used.) Keying material is generated!
EAP-PEAP ● ●
● ●
Very similar to TTLS! A TLS tunnel is established, and another EAP session takes place inside. Also requires server certificates. Generates keying material!
EAP-SIM ● ●
●
●
Currently not very well known. Makes use of the Subscriber Identity Modules used in GSM and GPRS cell phones. Strong authentication, since a token (SIM), and pin number is required to complete authentication! Generates keying material.
Supplicants Linux Xsupplicant Yes Microsoft Native No Funk Odyssey No Meetinghouse Yes Apple Native No
Windows XP No Yes Yes Yes No
Windows 2k No Yes Yes Yes No
Windows ME No No Yes Yes No
Windows 98 No No Yes Yes No
Mac OS X (10.2/10.3) No/No No/No No/No Yes/No No/Yes
EAP-MD5 Xsupplicant Yes Microsoft Native Yes Funk Odyssey Yes Meetinghouse Yes Apple Native Yes
EAP-TLS Yes Yes Yes Yes Yes
EAP-TTLS Yes No*** Yes Yes Yes
EAP-PEAP Yes* Yes Yes Yes Yes
LEAP Yes** No Yes Yes Yes
EAP-SIM Yes No No No No
* PEAP authentication doesn't work with Microsoft IAS. ** LEAP authentication works, but keying material isn't generated correctly. *** EAP-TTLS support can be added using the Free Alfa+Ariss plug-in.
XSupplicant ●
●
XSupplicant is the open source 802.1x client for Linux. It currently supports : – – – – – – – – –
EAP-MD5 EAP-MS-CHAPv2 EAP-TLS EAP-TTLS EAP-PEAP EAP-SIM LEAP EAP-GTC (in CVS) EAP-OTP (in CVS)
Xsupplicant Pitfalls ●
●
Not all wireless card drivers for Linux support the needed extensions for 802.1x. Drivers known to work : – – – –
MADwifi (CVS version after 1/13/04) Atmel Sourceforge Driver (with patch) Orinoco_cs 0.13e driver (with patch) Hostap 0.1.2 driver
wEAP Project ●
Started this month with the intent of writing plug-ins for the native Microsoft client to support EAP types other than PEAP.
Windows Driver Problems ●
●
●
Many current Windows XP drivers will work with the built in 802.1x client. Drivers that are not compatible with Windows XP Zero config will probably not work. Some drivers will work with one supplicant, but not others.
Additional Information ●
●
●
●
[email protected] - Mailing list for discussion of 802.1x. Hardware, software and deployment issues. http://www.open1x.org - Home page for Xsupplicant. http://weap.sf.net - Home page for wEAP. http://utahgeeks.sf.net - Site containing general information, and links about 802.1x.
EAPoL Key Messages