The Anatomy of 802.1X

802.1X is a port-based network access control protocol designed to secure network access by ensuring that only authenticated clients are granted access. This is achieved through a client-server interaction between three key components: Supplicant (Client), Authenticator (Network Device), and Authentication Server (RADIUS Server). The workflow between these components follows a detailed sequence that we will explore below, using examples and packet captures from a client-server perspective.

Key Components (Client/Server Perspective):

1. Supplicant (Client): The client device (e.g., laptop, smartphone, or IP phone) requesting access to the network. The supplicant has a network adapter with 802.1X client support, which typically interacts with the Authenticator.

2. Authenticator (Server): A network device (such as a switch or wireless access point) that manages the authentication process between the Supplicant and the Authentication Server. It controls the port status, only allowing access to the network once authentication is successful.

3. Authentication Server (RADIUS Server): This is typically a RADIUS server (e.g., Cisco ISE, FreeRADIUS, or Microsoft NPS) that verifies the credentials of the Supplicant. It receives requests from the Authenticator, checks the credentials, and sends back an authentication decision.

Step-by-Step Client/Server Authentication Workflow:

Step 1: Client Requests Access

• Action: The Supplicant (client) attempts to connect to the network (e.g., by plugging into a wired port or connecting via Wi-Fi).

• Authenticator (network device) places the port in an unauthorized state, allowing only authentication traffic to flow.

Packet Capture Example (Supplicant sends EAPOL-Start to Authenticator):

Ethernet II, Src: 00:1a:2b:3c:4d:5e (Supplicant MAC), Dst: Broadcast (FF:FF:FF:FF:FF:FF) 802.1X Protocol: EAPOL (EAP over LAN) EAPOL-Start (0x01) - Client requests access to the network.

Step 2: Authenticator Requests Identity

• Action: The Authenticator sends an EAP-Request/Identity message to the Supplicant, asking for the identity (e.g., username or device ID).

Packet Capture Example (Authenticator sends EAP-Request/Identity to Supplicant):

Ethernet II, Src: 00:1a:2b:3c:4d:5e (Authenticator MAC), Dst: Broadcast (FF:FF:FF:FF:FF:FF) 802.1X Protocol: EAPOL (EAP over LAN) EAP-Request/Identity (0x01) - Authenticator asks for the client's identity.

Step 3: Supplicant Responds with Identity

• Action: The Supplicant responds with an EAP-Response/Identity message, which includes the identity (typically username or device identifier).

Packet Capture Example (Supplicant sends EAP-Response/Identity to Authenticator):

Ethernet II, Src: 00:5e:6f:7a:8b:9c (Supplicant MAC), Dst: Broadcast (FF:FF:FF:FF:FF:FF) 802.1X Protocol: EAPOL (EAP over LAN) EAP-Response/Identity (0x02) Identity: supplicant@domain.com - Client responds with identity.

Step 4: Authenticator Forwards Identity to Authentication Server

• Action: The Authenticator forwards the identity to the Authentication Server (RADIUS server) in an EAP-Request message. The Authentication Server will verify the credentials.

Packet Capture Example (Authenticator forwards EAP-Request to Authentication Server):

Ethernet II, Src: 00:1a:2b:3c:4d:5e (Authenticator MAC), Dst: 00:aa:bb:cc:dd:ee (Authentication Server MAC) RADIUS Access-Request (Code 1) User-Name = "supplicant@domain.com" EAP-Type = EAP-TLS (for certificate-based authentication)

Step 5: Authentication Server Verifies Credentials

• Action: The Authentication Server checks the provided credentials (e.g., password, certificate) against a database (such as LDAP or Active Directory). If the credentials are valid, the server sends an Access-Accept message back to the Authenticator.

Packet Capture Example (Authentication Server responds with Access-Accept):

Ethernet II, Src: 00:aa:bb:cc:dd:ee (Authentication Server MAC), Dst: 00:1a:2b:3c:4d:5e (Authenticator MAC) RADIUS Access-Accept (Code 2) EAP-Type = EAP-TLS Success (Authentication successful)

Step 6: Dynamic VLAN Assignment (Optional)

• Action: If configured, the Authentication Server assigns the Supplicant to a specific VLAN. This allows the network to segregate clients based on their authentication outcome.

Packet Capture Example (Authentication Server assigns VLAN):

Ethernet II, Src: 00:aa:bb:cc:dd:ee (Authentication Server MAC), Dst: 00:1a:2b:3c:4d:5e (Authenticator MAC) RADIUS Access-Accept (Code 2) Tunnel-Private-Group-ID = 100 (Client assigned to VLAN 100)

Step 7: Authenticator Grants Access

• Action: Upon receiving the Access-Accept message, the Authenticator opens the port, allowing the Supplicant to access the network, and sends an EAPOL-Logoff message to terminate the session setup.

Packet Capture Example (Authenticator grants network access):

Ethernet II, Src: 00:1a:2b:3c:4d:5e (Authenticator MAC), Dst: 00:5e:6f:7a:8b:9c (Supplicant MAC) 802.1X Protocol: EAPOL (EAP over LAN) EAPOL-Logoff (0x03) - Access granted to the Supplicant.

Step 8: Authorized Access to the Network

• The Supplicant is now authorized to access the network, and data packets can flow normally.

Example Network Configuration for 802.1X (Client/Server Workflow):

1. Supplicant Configuration:

• Install EAPOL-compatible software (e.g., Windows Network Policy Server, macOS, or Linux supplicant).

• Enable 802.1X on the network adapter (via operating system network settings).

1. Authenticator Configuration:

• Enable 802.1X on the switch or wireless access point.

• Set port authorization to control the flow based on authentication results from the Authentication Server.

1. Authentication Server Configuration:

• Set up RADIUS (e.g., Cisco ISE, FreeRADIUS, or Microsoft NPS).

• Define EAP methods (e.g., EAP-TLS, EAP-PEAP).

• Configure VLAN assignments and access control policies (e.g., who gets access to which network).

Summary of the 802.1X Client/Server Workflow:

1. Supplicant sends EAPOL-Start: Client requests network access.

2. Authenticator requests identity: The Authenticator asks the client for its identity.

3. Supplicant responds with EAP-Response/Identity: Client sends its identity back to the Authenticator.

4. Authenticator forwards identity to Authentication Server: Identity is sent to RADIUS server for credential validation.

5. Authentication Server responds with Access-Accept: Server verifies credentials and sends an Accept message.

6. Authenticator assigns VLAN (if configured): VLAN assignments based on server configuration.

7. Authenticator grants network access: Client is authorized to access the network.

Conclusion:

802.1X uses a client-server authentication process to secure network access, with the Supplicant initiating the process, the Authenticator controlling access, and the Authentication Server verifying credentials. Through this detailed workflow, including packet captures, you can see how each component plays its role in ensuring secure and managed access to the network.