802.1X network access control (NAC) has been around for more than a decade. It is a security control providing uniform access control across wired (LAN) and wireless (WLAN) networks and allows organisations to restrict access to resources on their network.
Pre- and post-admission endpoint security policy checks are amongst the policies in a network that NAC controls the access to. These controls go over where devices and users can go on a network and what they can do. In short, NAC controls access to enterprise resources using authorisation and policy enforcement.
IEEE 802.1X is an IEEE Standard for Port-Based Network Access Control (PNAC) and provides protected authentication for secure network access. The main intent of 802.1X is to define the authentication controls for any device or user wanting to access a LAN or WLAN.
The 802.1X authentication mechanism has three components: supplicant, authenticator, and authentication server called the RADIUS server.
The standard authentication protocol that is used on encrypted networks is called Extensible Authentication Protocol (EAP). It provides a safe method to send identifying information over the air for network authentication. 802.1X is the standard used for passing EAP over wired and wireless Local Area Networks (LAN). LAN provides an encrypted EAP tunnel that prevents outside users from accessing information.
The EAP protocol can be set up for credential and digital certificate (EAP-TLS) authentication. It is also a highly secure method that protects the authentication process.
EAP Message Format
The 802.1X standard defines the Extensible Authentication Protocol (EAP) as its encrypted message format for transmission between the supplicant and the authenticator.
IEEE 802.1X includes a standard called EAP encapsulation over LANs (EAPOL). It is a standard for passing EAP over a wireless or wired local area network (EAPoW). By using 802.1X, you package EAP messages in Ethernet frames. The format of EAPOL packets is defined in the 802.1x specification. EAPOL communication occurs between supplicant and authenticator. It's only authentication.
The authenticator or supplicant sends a session initiation request. A supplicant sends an EAP-response message to the authenticator, encapsulating the message and forwarding it to the authentication server.
Messages pass between the authentication server and the supplicant via the authenticator to validate several pieces of information.
If the credentials are valid, the authentication server notifies the authenticator to give the supplicant access to the port.
RADIUS accounting keeps session records, including user and device details, session types, and service details.
Sessions are terminated by disconnecting the endpoint device or by using management software.
IoT and BYOD have become key elements for increasing demand in NAC technology mainly because it is fundamental for CISOs tasked with providing secure network access with minimal disruption for end-users to handle mobile devices securely.
The increasing demand to use not just corporate-owned devices such as smartphones, tablets, and laptops, but also personal ones for business, highly complicates endpoint and network security. Organisations are looking to support employees connecting devices to the network and devices from third parties, e.g., visitors, partners, and contractors.
It prevents Over-the-Air Credential Theft attacks like Man-in-the-Middle attacks and Evil Twin proxies. In sum, it prevents eavesdropping on network communication.
IEEE802.1X enables the possibility to enforce policies to allow or deny the access of devices to the network. This can be based on various attributes; time, location, type of authentication, etc.
IEEE802.1X supports multiple authentication methods eliminating the need for passwords: token cards, Public Key Infrastructure (PKI) Certificates, Certificates from external Certificate Authority (CA')s, One Time Passwords (OTP) etc. It also allows room for the addition of newer authentication methods in the future.
IEEE802.1X offers network access based on identity. These Identities can be found in Active Directory, LDAP or even a Guest database. Centrally combining and using these identity stores overcomes scattered access methods, providing a unified starting point for secure network access based on identity.
IEEE802.1X offers the ability to deliver network access on a granular basis. This can be integrated with Active Directory controls to provide network access only to areas of the network that allow the particular owner of the device to perform their job role. Being able to manage this centrally through an NAC system allows greater control and flexibility for delivering access to shared folders.
IEEE802.1X allows for the management of users, devices, profiles, certificates, etc., from single management points and the solutions for profile management allow automated or simplified rollouts of the technology.