Wireless Hacks

Hack 10 802.1x: Port Security for Network Communications

Secure access to virtually any network port (wired or wireless) with 802.1x.

The 802.1x protocol is actually not a wireless protocol at all. It describes a method for port authentication that can be applied to nearly any network connection, whether wired or wireless.

Just when you thought you knew every IEEE spec relating to wireless, suddenly 802.1x appeared on the scene. The full title of 802.1x is "802.1x: Port Based Network Access Control." Interestingly enough, 802.1x wasn't originally designed for use in wireless networks; it is a generic solution to the problem of port security. Imagine a college campus with thousands of Ethernet jacks scattered throughout libraries, classrooms, and computer labs. At any time, someone could bring their laptop on campus, sit down at an unoccupied jack, plug in, and instantly gain unlimited access to the campus network. If network abuse by the general public were common, it might be desirable to enforce a policy of port access control that permitted only students and faculty to use the network.

This is where 802.1x fits in. Before any network access (to Layer 2 or above) is permitted, the client (the supplicant, in 802.1x parlance) must authenticate itself. When first connected, the supplicant can only exchange data with a component called the authenticator. This in turn checks credentials with a central data source (the Authentication Server), typically a RADIUS server or other existing user database. If all goes well, the authenticator notifies the supplicant that access is granted (along with some other optional data) and the client can go about its merry way. The various encryption methods employed are not defined in particular, but an extensible framework for encryption is provided—the Extensible Authentication Protocol , or EAP.

802.1x is widely regarded by the popular press as "the fix" for the problems of authentication in wireless networks. For example, the "other data" that is sent back to the supplicant could contain WEP keys that are dynamically assigned per session and are automatically renewed every so often, making most data collection attacks against WEP futile. Unfortunately, 802.1x has been found to be susceptible to certain session hijacking, denial of service, and man-in-the-middle attacks when used with wireless networks, making the use of 802.1x as the "ultimate" security tool a questionable proposition.

As of this writing, 802.1x drivers for Windows XP and 2000 are available, and many access points (notably Cisco and Proxim) support some flavor of 802.1x. There is also an open source 802.1x supplicant implementation project available at http://www.open1x.org/. It is possible to use the Host AP driver to provide authenticator services to a RADIUS server or other authentication server via the backend.

Unfortunately, the popular press tends to abbreviate 802.11a/b/g as 802.11x, which looks a lot like 802.1x—but don't be fooled. While it has an application in wireless networks, 802.1x actually has nothing to do with wireless networking. For a good discussion of 802.1x security methods and problems online, take a look at http://www.sans.org/rr/wireless/802.11.php.