White Paper Excerpt

This is an excerpt from our upcoming white paper “Wi-Fi Offloading, How?“. This white paper is highly technical and is a continuation of the white paper “Wi-Fi Offloading, Why?” that was published in May 2024. Did you miss it? Access it here!

 

Wi-Fi Offloading, How? – Chapter 2.1

Secure Wi-Fi with 802.1x and WPA2/WPA3

IEEE 802.1x is a key standard in network security. It provides port-based Network Access Control (PNAC) that serves as the first line of defense against unauthorized access in both wired and wireless networks. By enforcing authentication at the network port level, 802.1x ensures that only authorized devices can access the network, thereby mitigating risks associated with rogue devices and unauthorized users.

 

The 802.1x Architecture

Secure Wi-Fi with 802.1x, EAP and WPA2/WPA3

At the heart of 802.1x is a triad of entities that work together to enforce access control:

  1. Supplicant: The device seeking to join the network (e.g., a laptop, smartphone, or IoT device). The supplicant initiates the authentication process by requesting access to the network.
  2. Authenticator: Typically, a Wi-Fi Access Point (AP) or Wi-Fi AP Controller, the authenticator acts as a gatekeeper. It controls the port to which the supplicant is connected and facilitates the communication between the supplicant and the authentication server.
  3. Authentication Server: The server, often a RADIUS AAA server, validates the supplicant’s credentials. It makes the final decision on whether the supplicant can access the network.

The communication among these entities follows a defined process that leverages the Extensible Authentication Protocol (EAP). The communication between the Supplicant and the Authentication Server is secured end-to-end by only allowing EAP over LAN (EAPOL) between the Supplicant and the Authenticator, and EAP encapsulated in RADIUS between the Authenticator and Authentication Server.

The 802.1x authentication process is orchestrated through a series of EAP messages. In the Seamless Access with SIM Authentication chapter, we will cover this in more depth in the context of Wi-Fi Offloading.

Depending on the EAP method used, a series of challenge-response exchanges occurs between the supplicant and the authentication server. These exchanges can involve using certificates, username/password combinations, or other authentication credentials.

If the authentication server validates the credentials successfully, it sends an EAP-Success message to the authenticator, which then authorizes the port, granting the supplicant full network access. If authentication fails, an EAP-Failure message is sent, and the port remains unauthorized.

Once authenticated, data transmitted over the network can be encrypted by the Authenticator with WPA2/WPA3 to ensure confidentiality and integrity. Many, including Enea, refer to 802.1x as secure and encrypted Wi-Fi. However, the 802.1x authentication scheme only enables the WPA2/WPA3 encryption.

 

802.1x Security Considerations

802.1x significantly enhances network security, but it is not without vulnerabilities.

Some EAP methods, such as EAP-MD5, are considered weak because they do not support encryption or mutual authentication. Without mutual authentication between the Supplicant and Authentication Server, attackers can insert themselves between the supplicant and the authenticator, potentially intercepting or altering communication.

It’s crucial to use stronger methods like EAP-TLS, which offers certificate-based mutual authentication. The EAP methods (EAP-AKA/AKA′/5G-AKA) for Wi-Fi Offloading using the device’s SIM credentials are also at the same security level as EAP-TLS. The legacy EAP-SIM protocol used for 2G/3G has weaker encryption than its successors. We recommend that EAP-SIM is not used.

 

802.1x Deployment and Configuration

Deploying 802.1x requires careful planning and configuration:

  • Infrastructure: Ensure that network devices, such as switches and access points, support IEEE 802.1x. Additionally, a robust RADIUS AAA server, such as Enea Aptilo SMP, is essential for handling authentication requests.
  • Configuration: Configure the authenticator devices to enable 802.1x on the relevant ports. Set up the RADIUS AAA server with the appropriate policies and credentials. Ensure that supplicants (client devices) are configured to support the required EAP method.
  • Testing: Before full deployment, conduct thorough testing to ensure that devices authenticate correctly and that the network behaves as expected under various scenarios.
  • Scalability: Consider the scalability of your IEEE 802.1x deployment. Load balancing across multiple RADIUS AAA nodes, including optional geographical redundancy and the use of high-availability configurations, will help ensure consistent performance.

 

The complete white paper “Wi-Fi Offloading, How?” will be published in late November 2024, stay tuned!

Related insights

EAP and SIM authentication

EAP and Seamless Access with SIM Authentication

Read more

Tags: Wi-Fi Offloading

Wi-Fi Offloading How

New White Paper: Wi-Fi Offloading – How?

Read more

Tags: Wi-Fi Offloading

Leading the Next Wave of Zero-Touch Wi-Fi IoT Innovation 

Read more

Tags: IoT CCS, IoT Security, OpenRoaming, Wi-Fi IoT

WBA proposes a ‘zero-touch’ onboarding for IoT via Wi-Fi

Read more

Tags: B2B Wi-Fi, Carrier Wi-Fi, IoT CCS, IoT Security, Wi-Fi Offloading

Wi-Fi Offloading – presentation at Wi-Fi World Congress 2024

Read more

Tags: Carrier Wi-Fi, MNO, MVNO, Wi-Fi Offloading