LINKS | LINUX | MAIN MENU | PS2 | REFERENCE | USENET
This document describes the software and procedures to set up and use 802.1X: Port-Based Network Access Control using Xsupplicant with PEAP (PEAP/MS-CHAPv2) as authentication method and FreeRADIUS as back-end authentication server.
If another authentication mechanism than PEAP is preferred, e.g., EAP-TLS or EAP-TTLS, only a small number of configuration options needs to be changed. PEAP/MS-CHAPv2 are also supported by Windows XP SP1/Windows 2000 SP3.
The 802.1X-2001 standard states:
"Port-based network access control makes use of the physical access characteristics of IEEE 802 LAN infrastructures in order to provide a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics, and of preventing access to that port in cases which the authentication and authorization fails. A port in this context is a single point of attachment to the LAN infrastructure." --- 802.1X-2001, page 1.
See figure 802.1X for explanation.
Why is it called "port"-based authentication? The Authenticator deals with controlled and uncontrolled ports. Both the controlled and the uncontrolled port are logical entities (virtual ports), but use the same physical connection to the LAN (same point of attachment).
Before authentication, only the uncontrolled port is "open". The only traffic allowed is EAPOL; see Authenticator System 1 on figure port. After the Supplicant has been authenticated, the controlled port is opened, and access to other LAN resources are granted; see Authenticator System 2 on figure port.
802.1X plays a major role in the new IEEE wireless standard 802.11i.
Wired Equivalent Privacy (WEP), which is part of the original 802.11 standard, should provide confidentiality. Unfortunately WEP is poorly designed and easily cracked. There is no authentication mechanism, only a weak form of access control (must have the shared key to communicate). Read more here.
As a response to WEP broken security, IEEE has come up with a new wireless security standard named 802.11i. 802.1X plays a major role in this new standard.
The new security standard, 802.11i, which was ratified in June 2004, fixes all WEP weaknesses. It is divided into three main categories:
In addition, an optional encryption method called "Wireless Robust Authentication Protocol" (WRAP) may be used instead of CCMP. WRAP was the original AES-based proposal for 802.11i, but was replaced by CCMP since it became plagued by property encumbrances. Support for WRAP is optional, but CCMP support is mandatory in 802.11i.
802.11i also has an extended key derivation/management, described next.
To enforce a security policy using encryption and integrity algorithms, keys must be obtained. Fortunately, 802.11i implements a key derivation/management regime. See figure KM.
For small office / home office (SOHO), ad-hoc networks or home usage, a pre-shared key (PSK) may be used. When using PSK, the whole 802.1X authentication process is elided. This has also been called "WPA Personal" (WPA-PSK), whereas WPA using EAP (and RADIUS) is "WPA Enterprise" or just "WPA".
The 256-bit PSK is generated from a given password using PBKDFv2 from [RFC2898], and is used as the Master Key (MK) described in the key management regime above. It can be one single PSK for the whole network (insecure), or one PSK per Supplicant (more secure).
The industry didn't have time to wait until the 802.11i standard was completed. They wanted the WEP issues fixed now! Wi-Fi Alliance felt the pressure, took a "snapshot" of the standard (based on draft 3), and called it Wi-Fi Protected Access (WPA). One requirement was that existing 802.11 equipment could be used with WPA, so WPA is basically TKIP + 802.1X.
WPA is not the long term solution. To get a Robust Secure Network (RSN), the hardware must support and use CCMP. RSN is basically CCMP + 802.1X.
RSN, which uses TKIP instead of CCMP, is also called Transition Security Network (TSN). RSN may also be called WPA2, so that the market don't get confused.
Extensible Authentication Protocol (EAP) [RFC 3748] is just the transport protocol optimized for authentication, not the authentication method itself:
" [EAP is] an authentication framework which supports multiple authentication methods. EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP. EAP provides its own support for duplicate elimination and retransmission, but is reliant on lower layer ordering guarantees. Fragmentation is not supported within EAP itself; however, individual EAP methods may support this." --- RFC 3748, page 3
Since 802.1X is using EAP, multiple different authentication schemes may be added, including smart cards, Kerberos, public key, one time passwords, and others.
Some of the most-used EAP authentication mechanism are listed below. A full list of registered EAP authentication types is available at IANA: http://www.iana.org/assignments/eap-numbers.
Remote Authentication Dial-In User Service (RADIUS) is defined in [RFC2865] (with friends), and was primarily used by ISPs who authenticated username and password before the user got authorized to use the ISP's network.
802.1X does not specify what kind of back-end authentication server must be present, but RADIUS is the "de-facto" back-end authentication server used in 802.1X.
There are not many AAA protocols available, but both RADIUS and DIAMETER [RFC3588] (including their extensions) conform to full AAA support. AAA stands for Authentication, Authorization, and Accounting (IETF's AAA Working Group).
New Jersey Short Stories
$25 Lock Included Free Shipping in the USA
Payment by PayPal E-mail email@example.com
Political corruption is a tradition here.
First issue in a series by Anthony Olszewski Click HERE to find out more.
Very brandable Domains for Sale -- The GET NJ family of Sites, managed by Anthony Olszewski, features tens of thousands of Pages Online at dozens of active domains, many with a New Jersey focus. Other advertising opportunities – including enterprise and exclusive placements – exist at a wide range of Web Sites. Your ad can appear at one Page or at many, many thousands of Pages simultaneously! A large slice of the domains have been Online for more than five years, some for over ten! In addition to advertising, many great Domains are available for purchase or license
Text Link Advertising Program
Business name, Web Site Link and a brief description or motto runs for one month in the Page (or Pages) of your choice.
Hudson County Politics
From Frank Hague to Robert Janiszewski, in this New Jersey county, political corruption is a tradition. Former NJ Governor Brendan Byrne wants to be buried here so he can stay active in Democratic politics! You'll find lots about Senator Robert Menendez, too.
GRAVE ROBBER Jersey City Computer Repair
297 Griffith Street, Jersey City, NJ - 201-798-2292 - In the Heights just off of Kennedy Blvd. - Very close to Journal Square and Union City, just five minutes away from Hoboken, Downtown Jersey City, Newport, the Waterfront, Secaucus, North Bergen and Weehawken - Tech support for The Jersey City Mayor's Office during the administration of Bret Schundler - PC repair - Tivos, too!, upgrade, hardware install, software install, data recovery, spyware removal, virus removal, replace hard drive, replace motherboard, data recovered from notebook computers, recover lost XP passwords, password recovery
For All Sorts of Unique New York City Information, Visit GET NY!