Blog

You are currently viewing 802.1X Security | Part 2

802.1X Security | Part 2

Most companies do not have an extra security layer when a client computer connects to the wired network. When connecting to a network, the client computer receives an IP from a DHCP (Domain Host Configuration Protocol: the “IP generator”). At this point, a client computer is not identified or authenticated on a wired network and attacks based on the hacker’s knowledge can be launched.  

When wireless networks were introduced, IEEE 802.1X became popular in enterprise-based wireless networks. With the introduction of Wifi 6 and the increase of flexible workplaces, wireless networks are starting to overtake wired networks in which wired networks are a failsafe in case wireless networks fail.  

The goal of IEEE 802.1x was to have all wireless client computers on the network authenticated and identified. With the increasing popularity of the Zero-Trust security framework, organizations are also starting to implement IEEE 802.1x for wired networks because current technology is capable of making this possible. 

In my previous post, I explained the workings of 802.1X in wired and wireless networks and how it works. In this post, I will explain how a RADIUS server works, why 802.1X needs a RADIUS server, and how the authentication process works. 

RADIUS Server 

The RADIUS (Remote Authentication Dial-In User Service) server is the “security guard” of the network. When a user connects to the network, the RADIUS authenticates their identity and also authorizes the user for network use. After enrolling for a certificate from the PKI (Private Key Infrastructure) or after confirming credentials, the user becomes authorized for network access. Every time a user connects, the RADIUS confirms that the user has the correct certificate and credentials. This prevents any unapproved users from accessing the network.  

When a RADIUS is employed, it is vital to employ server certificate validation. This is a critical security mechanism of a RADIUS. Server certificate validation guarantees that the user only connects to the network they intend to by configuring their device to confirm the identity of the RADIUS by checking the server certificate. If the certificate does not match the device it is looking for, it will not send a certificate or credentials for authentication. This prevents a user becomes a victim of an Evil Twin proxy attack. 

Why do you need a RADIUS Server with 802.1X? 

802.1X needs to verify credentials. To do this, you need a dedicated server to do. A RADIUS server is a perfect fit for this job. The RADIUS server checks the directory of authorized users to confirm if a client has permission to access the network or not. After verification, the information is passed back to the controller/access point. If you would leave the RADIUS server out of the equation, authentication would have to be done at the access point and this would require some very powerful APs. Technology is advancing quickly but as of yet, these APs are not available. However, technology advances very quickly so what is now impossible, will be possible in (near) the future.  

Setting up a WPA2-Enterprise network 

Don’t underestimate setting up a WPA2-Enterprise network. To develop a robust WPA2-Enterprise network, you require to do additional tasks: 

  • Setting up a PKI (Public Key Infrastructure) or CA (Certificate Authority) 
  • A seamless distribution system that distributes certificates to users. 

This might sound expensive but it isn’t. You don’t need to invest in new hardware to upgrade. You also don’t have to change any current infrastructure. For example, if you want to roll out guest access or if you want to change the authentication method, you don’t have to add infrastructure or hardware. 

Many organizations have been switching to EAP (Extensible Authentication Protocol) methods from PEAP (Protected Extensible Authentication Protocol) to EAP-TLS after noticing a big improvement in connection time and roaming ability. Improving the functionality of wireless networks can be gained without changing a single piece of hardware.

802.1X Authentication in practice 

So how does this all work? The 802.1X authentication process can be split into four steps: 

Step 1 Initialization 

This step starts when the authenticator detects a new device. After detection, it attempts to establish a connection. The authenticator port is set to an “unauthorized” state. This means that only 802.1X traffic is accepted and every other connection will be dropped. 

Step 2 Initiation 

After initialization, the authenticator starts to transmit EAP-Requests to the new device. After this, EAP responses are sent back to the authenticator. This response usually contains a way to identify the new device. The authenticator received the EAP response and then relayed this to the authentication server in a RADIUS access request packet. 

Step 3 Negotiation 

After the authentication server has received the request packet, it will respond with a RADIUS access challenge packet that contains the approved EAP authentication method for the device. After this, the authenticator will pass on the challenge packet to the device that needs to be authenticated. 

Step 4 Authentication 

After the EAP has been configured on the device, the authentication server will start sending configuration profiles that will authenticate the device. Once the process is completed, the port will be set to “authorized” and the device has been successfully configured to the 802.1X network. 

Is 802.1X the perfect defense? 

No security protocol is invulnerable and 802.1X is not an exception to this rule. Wireless 802.1X is most commonly configured as: 

  • WPA-PSK (pre-shared key/WPA-Personal) 
  • WPA  
  • WPA2 Enterprise 
  • WPA3 (but this is still pretty uncommon) 

From this list, PSK is the simplest and most vulnerable protocol. The WPA-PSK protocol configures a password on the access point and distributes this to users of the network. It is easily cracked with a run-of-the-mill brute force attack and it is also susceptible to all other common attacks. WPA-PSK is obsolete nowadays so if you have WPA-PSK protocol running on any access point, replace them at once.  

WPA is not much stronger than WPA-PSK but on Enterprise-level, wireless networks are typically not compromised by brute force attacks because their network administrator will have mandated complex passwords and reset policies. Depending on the authentication standard, used by the enterprise network it has still vulnerabilities to other forms of attack. Also, WPA is outdated and should be replaced by at least WPA2. 

PEAP MSCHAPv2 was the industry standard for WPA2-Enterprise networks but it has been cracked. Still, many organizations use this standard although it is vulnerable to over-the-air attacks. Because PEAP MSCHAPv2 used symmetrical cryptography, packets in the air could be intercepted by a hacker and decrypted. 

EAP-TTLS/PAP is also a common standard, vulnerable to over-the-air attacks. It is especially weak because credentials are sent in clear text which means it is just a matter for hackers to intercept and steal a package that is in the air. Pay attention when looking for Cloud RADIUS servers that use the EAP-TTLS/PAP protocol. Many support EAP-TTLSPAP and you should not use RADIUS servers with this protocol.   

The strongest WPA2-Enterprise standard is EAP-TLS (Extensible Authentication Protocol/Transport Layer Security). EAP-TLS relies on the asymmetrical cryptography of digital certificates for authentication, which renders it immune to over-the-air attacks. Even if traffic is intercepted by the hacker, only half of the public-private key pair is harvested by a hacker. This is useless without having the other half. 

Although WPA2-Enterprise with EAP-TLS is still a secure method, WPA3-enterprise should be considered in case you need an upgrade anyway. WPA3 replaces PSK with Simultaneous Authentication of Equals (SAE). At its core, SAE requires user interaction every time they enter credentials. This small addition is a foolproof method for denying dictionary attacks. The largest improvement of WPA3 is the requirement of server certificate validation if a RADIUS server is in use. In the past, organizations may omit using server certificate validation, or they could lack onboarding software and end-users could misconfigure it. WPA3-Enterprise avoids this potential issue because, without server certificate validation, end users are at high risk for over-the-air credential theft. 

Final Thoughts

Switching with a wired network to IEEE 802.1x and with this, connecting LAN ethernet to a RADIUS server is a must to set up a Zero-Trust security framework: it is a critical part of this framework.  

I guess it might be hard to convince experienced administrators that technological advances make switching to a RADIUS server possible might be hard. In the past, it wasn’t possible but with the introduction of a Network Access Control (NAC) solution it is.  

Still, you might hear remarks like: “Not possible to connect with RADIUS”. But it is possible, with some extra study/knowledge gathering for different platforms such as Public Key Infrastructure, RADIUS server, and switch configuration, combined with training the support tech department into troubleshooting through the process. 

One thing is key in all of this to make a switch to a Zero-Trust Framework a success. Your team needs to fully support the different approaches. Change is not easy for a lot of people and it makes a lot of people insecure. The role of a good manager is to show that this is possible and will save them a lot of headaches in the future. Involve them at the start of a Zero-Trust Framework project and listen/process their input into the project.   

I love Star Wars and in Episode 5, Luke is trained by Yoda on Dagoba. Yoda asks Luke to lift Luke’s X-Wing from the swamp. The below dialogue follows:  

Luke fails because he “tries”. After that Yoda lifts the X-Wing from the swamp with the Force. Luke is totally surprised and the next dialogue follows: 

In other words: your team needs to believe that the Zero-Trust Framework is going to be a total success. Otherwise, it’s doomed to fail: like all projects that are not backed/believed in by team members. 

Feel free to contact me if you have any questions or if you have any additional advice/tips about this subject. If you want to keep in the loop if I upload a new post, do not forget to subscribe to receive a notification by email. 

Tags: , , , , , , , , , , ,

Gijs Groenland

I live in San Diego, USA together with my wife, son, and daughter. I work as Chief Financial and Information Officer (CFIO) at a mid-sized company.

Leave a Reply