IEEE802.1X

The Gold Standard of Network Access Control

Network Access Control

802.1X network access control (NAC) has been around for more than a decade. It is a security control providing uniform access control across wired (LAN) and wireless (WLAN) networks and allows organisations to restrict access to resources on their network. 

Pre- and post-admission endpoint security policy checks are amongst the policies in a network that NAC controls the access to. These controls go over where devices and users can go on a network and what they can do. In short, NAC controls access to enterprise resources using authorisation and policy enforcement.

VMS-23

Explaining NAC

IEEE 802.1X is an IEEE Standard for Port-Based Network Access Control (PNAC) and provides protected authentication for secure network access. The main intent of 802.1X is to define the authentication controls for any device or user wanting to access a LAN or WLAN.

802.1X Components

The 802.1X authentication mechanism has three components: supplicant, authenticator, and authentication server called the RADIUS server.

  • The supplicant is the client device that tries to access the network, e.g. desktop or laptop computer, a tablet, a phone, an IoT device such as a printer.
  • The authenticator, typically a switch, is the initial gateway that intercepts the supplicant's access request. 
  • An authentication server (RADIUS server) compares the supplicant's ID (client) with credentials stored in a database. If credentials and supplicant ID match, the supplicant will get access to the network
Diagrams-16

Extensible Authentication Protocol (EAP)

The standard authentication protocol that is used on encrypted networks is called Extensible Authentication Protocol (EAP). It provides a safe method to send identifying information over the air for network authentication. 802.1X is the standard used for passing EAP over wired and wireless Local Area Networks (LAN). LAN provides an encrypted EAP tunnel that prevents outside users from accessing information.

The EAP protocol can be set up for credential and digital certificate (EAP-TLS) authentication. It is also a highly secure method that protects the authentication process.

EAP Message Format

The 802.1X standard defines the Extensible Authentication Protocol (EAP) as its encrypted message format for transmission between the supplicant and the authenticator.

Extensible Authentication Protocol over LAN (EAPOL)

IEEE 802.1X includes a standard called EAP encapsulation over LANs (EAPOL). It is a standard for passing EAP over a wireless or wired local area network (EAPoW). By using 802.1X, you package EAP messages in Ethernet frames. The format of EAPOL packets is defined in the 802.1x specification. EAPOL communication occurs between supplicant and authenticator. It's only authentication.

NAC in action:

1. Session Initiation

The authenticator or supplicant sends a session initiation request. A supplicant sends an EAP-response message to the authenticator, encapsulating the message and forwarding it to the authentication server.

Arrow-18-2

2. Session Authentication

Messages pass between the authentication server and the supplicant via the authenticator to validate several pieces of information.

Arrow-18-2

3. Session Authorisation

If the credentials are valid, the authentication server notifies the authenticator to give the supplicant access to the port.

Arrow-18-2

4. Session Accounting

RADIUS accounting keeps session records, including user and device details, session types, and service details.

Arrow-18-2

5. Termination

Sessions are terminated by disconnecting the endpoint device or by using management software.

pexels-pixabay-35550

NAC and the increase of demand

IoT and BYOD have become key elements for increasing demand in NAC technology mainly because it is fundamental for CISOs tasked with providing secure network access with minimal disruption for end-users to handle mobile devices securely.

The increasing demand to use not just corporate-owned devices such as smartphones, tablets, and laptops, but also personal ones for business, highly complicates endpoint and network security. Organisations are looking to support employees connecting devices to the network and devices from third parties, e.g., visitors, partners, and contractors.

Read the eBook

6 reasons for utilising IEEE802.1X in our NAC solution

 

Reason 1: Security

It prevents Over-the-Air Credential Theft attacks like Man-in-the-Middle attacks and Evil Twin proxies. In sum, it prevents eavesdropping on network communication.

Reason 2: Access Control

IEEE802.1X enables the possibility to enforce policies to allow or deny the access of devices to the network. This can be based on various attributes; time, location, type of authentication, etc.

Reason 3: Authentication

IEEE802.1X supports multiple authentication methods eliminating the need for passwords: token cards, Public Key Infrastructure (PKI) Certificates, Certificates from external Certificate Authority (CA')s, One Time Passwords (OTP) etc. It also allows room for the addition of newer authentication methods in the future.

Reason 4: Identity stores

IEEE802.1X offers network access based on identity. These Identities can be found in Active Directory, LDAP or even a Guest database. Centrally combining and using these identity stores overcomes scattered access methods, providing a unified starting point for secure network access based on identity.

Reason 5: Authorisation

IEEE802.1X offers the ability to deliver network access on a granular basis. This can be integrated with Active Directory controls to provide network access only to areas of the network that allow the particular owner of the device to perform their job role. Being able to manage this centrally through an NAC system allows greater control and flexibility for delivering access to shared folders.

Reason 6: Scalability

IEEE802.1X allows for the management of users, devices, profiles, certificates, etc., from single management points and the solutions for profile management allow automated or simplified rollouts of the technology.

When implemented correctly, IEEE802.1X is the gold standard of network authentication security.

NetAttest EPS:
The All-in-One NAC Solution

  • No vendor lock-in ​ 
  • Agentless approach
  • Eliminates the use of Pre-Shared Keys ​
  • Reduces risk for credential theft 
  • Prevents over-the-air credential theft and Man in the Middle attacks​
  • Forces users to go through an enrolment/onboarding process, ensuring their devices are configured correctly​
Discover More

Contact Us for More Information