FONTANNAUD Olivier MARC Antoine FI2A G2 P2 27/03/08 English Projectr 802.1X 1/7 Companies today have to protect their information. They need to install a very safe network and prevent strangers to steal sensitive data. That's why the 802.1x protocol has been created. It has been designed to protect physically the access a network. I - Standard presentation 802.1X is a standard created by the IEEE organization (Institute of electrical and electronics engineers) in June 2001. The purpose of 802.1X is to identify a user who wants to access a network by the help of an authentication server. It works with three entities: 1) The supplicant : It's the client asking to access the network 2) The authenticator: It's the network equipment which the client connects to. It will ask the server if the client has right to access the network or not. 3) The authentication server: It’s the server possessing the list of users and decide if the client will be authorized to access the network or not. 3 Steps of connections when you're using 802.1X 2/7 The supplicant try to connect on a port waiting for an 802.1X authentication. At this time the port is on not controlled mode. The supplicant enter his access information (login and password), and the switch communicate with the authentication server with the EAP protocol. If the authentication successful the port change state to controlled mode and the supplicant can access to network resources. II- Protocol presentation 1) EAP Communication between the supplicant and the authenticator is assured by the EAPOL protocol (Extensible Authentication Protocol Over Lan). It was created to transport authentication information and use different methods. Here are the different methods: EAP-TLS (Transport Layer Security): This method is based on digital certificates. The server and the client authenticate themselves mutually while coding the exchanged data during this phase. A public and a private key are used to create a secure tunnel between the client and the server. With this protocol the client doesn’t have to type a password because the certificate allows the authentication. EAP-MD5 Challenge: 3/7 With this method the user will be identified with his login and password. But these data are coded on the network. The challenge/answer method is used. The server sends a challenge to the client, then the client send his password related to that challenge. With this password the server compare the result with the password in his database. If the password are the same the access is authorized else the access is refused. Protected EAP (PEAP): With the PEAP only the authentication server has a digital certificate. It transmits it to the client who will be able to authenticate it. Then a secure TLS tunnel is created is established between the client and the server. The client is authenticated with any EAP method but he will benefit of secure transmission by the help of the TLS tunnel. EAP-TTLS (Tunneled Transport Layer Security): This method combines all the advantages of authentication with the login / password couple, the coded data with the tunnel and the server authentication with a certificate. 2) Radius Communication between the authenticator (network equipment) and the authentication server is assured by the EAP over RADIUS protocol (Remote Authentication Dial-In User Service). Radius protocol makes the link between identification data and user database by assuring the transport of normalized authentication data. The authentication operation is initiated by a client of the RADIUS service who can be a wireless access point, a firewall, a switch, another server. The server uses an external base if necessary to treat with this operation: SQL database, LDAP directory, users account. 4/7 RADIUS servers use the AAA concept: Authentication: The user or machine sends a Network Access Server) a request for access to a particular network resource. Authorization: The RADIUS server checks that the information is correct using authentication schemes like EAP. Accounting: When network access is granted to the user by the authenticator, an Accounting Start request is sent by the authenticator to the RADIUS server to signal the start of the user's network access. II- 802.1X implementation Here, you can see Martin, Mario and Marion trying to access the network. Thanks to 802.1X they will be able to access to the network resources like the printer, web server, etc. Martin is an administrator; he can access all the resources on the network. When he is authenticated by the authentication server (EAP mechanism) he is assigned to the “admin” virtual network. Marion and Mario are just employees, they can’t access to the entire network. As an example Mario is a student, he can’t access to the printer but Marion is a teacher she will be able to print documents. 5/7 802.1X allows: Forces all users to authenticate before network port is opened Work well with a wide variety of devices (PDA, laptop, etc.) Various authorizations can be configured (time to access resources, limited access) Dynamic virtual network (vLAN) attribution Limitations: Limited authorization at layer 2 only (by vLAN) Does not have the ability to control network traffic from authorized users Doesn’t give many information about the client connection, just when it starts, stop and how much it’s used As a conclusion, we can say that 802.1X will be probably used a lot in the future because it’s very flexible. This protocol will be very useful for the technologic evolution centered on the wireless because a computer is not assigned to a vLAN by the port but by the authentication mechanism. But 802.1X has its limits; maybe a more advanced standard with authorizations at layer 3 will be created someday? BIBLIOGRAPHY 6/7 http://wapiti.enic.fr/Commun/ens/peda/options/ST/RIO/pub/exposes/expos esrio2005/sert-deprey/vlan.htm http://fr.wikipedia.org/wiki/Protocole_AAA http://2003.jres.org/actes/paper.111.pdf http://fr.wikipedia.org/wiki/Radius_%28informatique%29 http://fr.wikipedia.org/wiki/IEEE_802.1 http://www.netcraftsmen.net/welcher/papers/dot1x.html 7/7