– Chapter 5 (B) – Using IEEE 802.1xIEEE 802.1x Standard802.1x Entities802.1x entitiesPort access entity (PAE)Controlled and uncontrolled accessSupplicant – Authenticator - Auth. Server802.1x communcationsEAPSlide 10Slide 11Using EAP in IEEE 802.1xMore EAP Scenarios in 802.1xSlide 14EAPOLEAPOL Packet type in IEEE 802.3EAPOL-Key frameOverall 802.1x ArchitectureSummaryNetwork Security 1– Chapter 5 (B) – Using IEEE 802.1x•Purpose: (a) port authentication(b) access control•An IEEE standard http://standards.ieee.org/getieee802/download/802.1X-2001.pdf•Used in both wired and wireless networks–Example: used in 802.11i as the new security mechanism of IEEE 802.11 (aka WLAN), replacing the originally proposed un-secure WEP•See http://sce.cl.uh.edu/yang/research/WLAN%20security.doc for further discussions.Network Security 2IEEE 802.1x Standard•Primary goal: to allow for controlled access to the LAN environment–Authentication of Layer 2 devices–Before a device is allowed to connect to the physical or logical port of a switch or a wireless access point, it first needs to be authenticated and authorized.•Example Uses: Ethernet, Token Ring, 802.11 WLAN•Additional resource: http://www.networkdictionary.com/protocols/8021x.phpNetwork Security 3802.1x Entities1. Supplicant: •requests to connect to a LAN2. Authenticator: •responsible for initiating the authentication process•Acting as a relay btwn the authentication server and the supplicant3. Authentication server: •responsible for doing the actual authentication & authorizationNetwork Security 4802.1x entitiesNetwork Security 5Port access entity (PAE)•From section 6.2 of the IEEE 802.1x standard (http://standards.ieee.org/getieee802/download/802.1X-2001.pdf) •The Port Access Entity (PAE) operates the algorithms and protocols associated with the authentication mechanisms for a given Port of the System.•In the Supplicant role, the PAE is responsible for responding to requests from an Authenticator for information that will establish its credentials. The PAE that performs the Supplicant role in an authentication exchange is known as the Supplicant PAE.•In the Authenticator role, the PAE is responsible for communication with the Supplicant, and for submitting the information received from the Supplicant to a suitable Authentication Server in order for the credentials to be checked and for the consequent authorization state to be determined. The PAE that performs the Authenticator role in an authentication exchange is known as the Authenticator PAE.–The Authenticator PAE controls the authorized/unauthorized state of its controlled Port (see 6.3) depending on the outcome of the authentication process.Network Security 6Controlled and uncontrolled access•The operation of Port-based access control has the effect of creating two distinct points of access to the Authenticator System’s point of attachment to the LAN.•The uncontrolled and controlled Ports are considered to be part of the same point of attachment to the LAN; any frame received on the physical Port is made available at both the controlled and uncontrolled Ports, subject to the authorization state associated with the controlled Port.Network Security 7Supplicant – Authenticator - Auth. ServerNetwork Security 8802.1x communcations•EAP–Originally developed for PPP–Allow two entities to exchange authentication data via various authentication mechanisms:One-time password, MD5 hashed username and password, etc.–RFC 2284 PPP Extensible Authentication Protocol (EAP) L. Blunk, J. Vollbrecht. March 1998 (obsoleted)–RFC3748 Extensible Authentication Protocol (EAP) B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, H. Levkowetz (Ed.) June 2004 (current edition)–RFC3579 RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP) B. Aboba, P. Calhoun. September 2003.Network Security 9EAP•Aboba, et al. Standards Track [Page 21] RFC 3748 EAP June 2004 (ftp://ftp.rfc-editor.org/in-notes/rfc3748.txt)Network Security 10EAP•4 types of EAP packets1. Request2. Response3. Success4. Failure•Subtypes of request/response messages:–Identify: authenticator (“send your identity info”)  supplicant–Notification: authenticator (“notification/warning, etc.”)  supplicant–NAK: supplicant (“unacceptable! This is my desired authentication mechanism”)  authenticator–MD-5 challenge: authenticator (challenge)  supplicantsupplicant (response)  authenticatorNetwork Security 11EAP•Subtypes of request/response messages (cont.):–One-time passworda password with an expiration time that is about to expire, i.e., an OTP sequence integer which is nearing 0–EAP-TLS messageAllows a supplicant and an authentication server to use digital certificates to authenticate each otherRFC2716 PPP EAP TLS Authentication Protocol B. Aboba, D. Simon. October 1999.A mutual authentication methodNetwork Security 12Using EAP in IEEE 802.1xQuestion: Is this protocol secure?Is ‘replay attack’ possible?Network Security 13More EAP Scenarios in 802.1xNetwork Security 14More EAP Scenarios in 802.1xNetwork Security 15EAPOL•EAP over LANs–Allows EAP packets to be encapsulated in regular LAN frames (e.g., Ethernet, Token Ring)–Source: http://standards.ieee.org/getieee802/download/802.1X-2001.pdfNetwork Security 16EAPOL Packet type in IEEE 802.3a) EAP-Packet. A value of 0000 0000 indicates that the frame carries an EAP packet.b) EAPOL-Start. A value of 0000 0001 indicates that the frame is an EAPOL-Start frame.c) EAPOL-Logoff. A value of 0000 0010 indicates that the frame is an explicit EAPOL-Logoff request frame.d) EAPOL-Key. A value of 0000 0011 indicates that the frame is an EAPOL-Key frame.e) EAPOL-Encapsulated-ASF-Alert. A value of 0000 0100 indicates that the frame carries an EAPOL-Encapsulated-ASF-Alert.All other possible values of this field shall not be used, as they are reserved for use in potential future extensions to this protocol.Network Security 17EAPOL-Key frameNetwork Security 18Overall 802.1x ArchitectureNetwork Security 19Summary•Next: NAT and