As part of the global trending increase in cloud data consumption, Gartner predicts that by 2023 80% of enterprises will also adopt two or more cloud-based security services. In this category, enterprises have shifted from using on-premises Active Directories to cloud-delivered Active Directories.
One of these cloud options is Azure Active Directory, the Microsoft AD management service. IT architecture of most organizations is based on the Microsoft OS so it makes sense that, most organizations will switch to Azure Active Directory when they decide to switch to a hybrid cloud solution (on-premise combined with cloud) or a complete cloud solution soon. To do this, adjustments need to be done.
One of these adjustments pertains to 802.1X authentication by domain attributes. Administrators should start thinking about 802.1X and Azure AD together and how network access control solutions will be able to adapt from the former on-premises legacy security vision to pure cloud-to-cloud integrations. This significant change has added the need to consider certain adjustments to corporate information security.
Converting access and authentication controls to suit Azure AD requires the ability to have visibility into all devices before they connect to the network no matter where they are connecting from VPN, wired, wireless, or cloud. If security best practices are essential in your organization, this visibility should include checking each endpoint, profiling it in terms of its security posture, and providing it with a certain score. Once your system has this information it is possible to mitigate risks by applying controls that either prohibits suspicious endpoints from connecting to the enterprise network or more sensitive sections of it or forcing them to update their security to be able to gain access.
What is IEEE 802.1X and how does it work?
If you want to connect to a Local Area Network (LAN) or a Wide Local Area Network (WLAN), an authentication mechanism is required. IEEE 802.1X is an IEEE Standard for Port-Based Network Access Control (PNAC). If you don’t know what IEEE means: it is short for Institute for Electrical and Electronics Engineers.
PNAC provides protected authentication for secure access to networks. 802.1X is an authentication protocol to allow access to networks with the use of a RADIUS server. This server checks a user’s credentials to see if the user is an active member of an organization and, depending on the network policies installed, grants users a different level of access to the network. This allows a set of unique credentials or certificates that can be used for every individual user. This eliminates the dependence on a single network password that third parties can easily steal.
802.1X and using a RADIUS server to allow access to networks is currently one of the best ways to secure today’s wireless and wired networks.
As already indicated, 802.1X is a network authentication protocol. The protocol opens ports for network access when an organization authenticates the identity of a user and authorizes the user access to the network. The identity of the user is determined by their credentials or certificate. This is where the RADIUS server comes into play: it confirms these credentials or certificates. If it is not registered on the server, the user can’t get access. The RADIUS server does this confirmation by communicating with the directory of the organization. This is mostly done over the LDAP or SAML protocol.
The LDAP protocol
LDAP stands for Lightweight Directory Access Protocol. LDAP is a cross-platform vendor-neutral software protocol that is used for directory service authentication. You can see an LDAP server as a very detailed virtual phone book. The phone book gives you access to an extensive directory of contact information for hundreds of people. Using LDAP makes it very easy for you to search through the phone book and find whatever information you require.
LDAP maintains all directory information in an organized way and this way you can search easily.
The SAML protocol
SAML stands for Security Assertion Markup Language and enables a user to access multiple web applications using a single set of login credentials. It passes authentication information in a specific format between two parties. Usually, this is an identity provider (IDP) and a web application: the service provider. You can compare it with boarding an aircraft. The airline needs to confirm you are who you say you are to ensure the security of all the other passengers on the aircraft. You verify your identity by showing your passport and once your name on your identity matches the name on the airline ticket, you are allowed to board the aircraft. In this case, the government that provides your passport is the identity provider (IDP) and the airline is the service provider.
Why is 802.1X used?
802.1X is used to secure network authentication. If an organization has valuable/sensitive information, it requires a secure method of transporting data without the risk of third parties that can intercept this data. With 802.1X, devices can communicate with access points in a secure manner. In the past, it was mainly used by very large organizations (enterprises, universities, and hospitals) but with the increase of cyber attacks on smaller businesses, it is rapidly becoming adopted on a large scale by small and medium businesses as well.
802.1X is strong because it secures connections to wired and wireless networks with rotating key security. For this, WPA2-Enterprise security technology is used. WPA2 uses the Advanced Encryption Standard (AES), which is the first and only publicly accessible cipher that is approved by the US National Security Agency (NSA) for protecting top-secret information. AES was first called Rijndael after its two developers, Belgium cryptographers Vincent Rijmen and Joan Daemen. WPA2 is also used in most WiFi routers.
802.1X avoids open/un-encrypted or static key (Phase Shift Keying: PSK) connections. This makes it very hard for third parties to succeed in obtaining classified data.
Don’t confuse WPA2-Enterprise security with WPA2 for WiFi. The WPA2 WiFi standard refers to the IEEE 802.11x standard and is only applicable to wireless networks while IEEE 802.11x applies to both wired and wireless networks. More info about WPA and wireless network security can be found in this post.
802.1X: wired and wireless use
The process for authenticating 802.1X for a wired network is the same as the process for a wireless network. The wired network user has to connect to the secure network from his/her device. Then, valid credentials or a signed certificate need to be presented to authenticate the user’s identity.
The main difference of between connecting wireless and wired to a RADIUS server is that instead of establishing a secure connection with a wireless switch that uses WPA2, the device has to be connected to the Ethernet and has to authenticate to an 802.1X-capable switch in case the device is wired. After that, the device and RADIUS server establish trust over the wired connection and if the user is recognized by the RADIUS server, the user will be authorized for secure network use.
How secure is 802.1X?
If you use 802.1X security correctly, it’s the top standard for network authentication security. 802.1X prevents over-the-air credential theft like Man-in-the-Middle attacks and Evil Twin proxies. This being said, 802.1X security varies depending on two key factors:
- The configuration process needs to be set by a specialist. If one step of the process of setting up 802.1X is incorrect, you are vulnerable to credential theft. This means you should never allow a non-specialist to set up 802.1X manually on his or her device. The best is to use dedicated 802.1X onboarding software which removes any risks of human error from the equation.
- The type of authentication an organization uses. An organization can use credential-based authentication or certificate-based authentication. A certificate-based EAP-TLS (Extensible Authentication Protocol/Transport Layer Security) significantly reduces an organization’s risk for credential theft and is the most secure way to use 802.1X. It does not only stop credentials from being sent over the air where they can be easily stolen but certificate-based EAP-TLS also forces users to go through a full enrollment/onboarding process that ensures their devices are configured correctly to conform 802.1X specifications.
Final Thoughts
802.1X is easy to understand once you know the basics. When I ran into 802.1X for the first time myself, I had no idea what it was used for and what the benefits are of using this protocol.
With all this said, this won’t be the final stop of our 802.1X journey. My next post will give more insight into the workings of the RADIUS Server and the working of 802.1X Authentication.
Feel free to contact me if you have any questions or if you have any additional advice/tips about this subject. If you want to keep in the loop if I upload a new post, do not forget to subscribe to receive a notification by email.
