IEEE

802.1x

Secure Wi-Fi with 802.1x and WPA2/WPA3

IEEE 802.1x is a key standard in network security. It provides port-based Network Access Control (PNAC) that serves as the first line of defense against unauthorized access in both wired and wireless networks. By enforcing authentication at the network port level, 802.1x ensures that only authorized devices can access the network, thereby mitigating risks associated with rogue devices and unauthorized users.

The 802.1x protocol is used for secure Wi-Fi and enables Wi-Fi encryption (WPA2/WPA3) for trusted non-3GPP Access and is paramount for Wi-Fi offloading with its SIM authentication.

The 802.1x Architecture

Secure Wi-Fi with 802.1x, EAP and WPA2/WPA3

At the heart of 802.1x is a triad of entities that work together to enforce access control:

  1. Supplicant: The device seeking to join the network (e.g., a laptop, smartphone, or IoT device). The supplicant initiates the authentication process by requesting access to the network.
  2. Authenticator: Typically, a Wi-Fi Access Point (AP) or Wi-Fi AP Controller, the authenticator acts as a gatekeeper. It controls the port to which the supplicant is connected and facilitates the communication between the supplicant and the authentication server.
  3. Authentication Server: The server, often a RADIUS AAA server, validates the supplicant’s credentials. It makes the final decision on whether the supplicant can access the network.

The communication among these entities follows a defined process that leverages the Extensible Authentication Protocol (EAP). The communication between the Supplicant and the Authentication Server is secured end-to-end by only allowing EAP over LAN (EAPOL) between the Supplicant and the Authenticator, and EAP encapsulated in RADIUS between the Authenticator and Authentication Server.

The 802.1x authentication process is orchestrated through a series of EAP messages. Explore more about these details on our SIM authentication page in the context of Wi-Fi offloading.

Depending on the EAP method used, a series of challenge-response exchanges occurs between the supplicant and the authentication server. These exchanges can involve using certificates, username/password combinations, or other authentication credentials.

If the authentication server validates the credentials successfully, it sends an EAP-Success message to the authenticator, which then authorizes the port, granting the supplicant full network access. If authentication fails, an EAP-Failure message is sent, and the port remains unauthorized.

Once authenticated, data transmitted over the network can be encrypted by the Authenticator with WPA2/WPA3 to ensure confidentiality and integrity. Many, including Enea, refer to 802.1x as secure and encrypted Wi-Fi. However, the 802.1x authentication scheme only enables the WPA2/WPA3 encryption.

 

Security Considerations

802.1x significantly enhances network security, but it is not without vulnerabilities.

Some EAP methods, such as EAP-MD5, are considered weak because they do not support encryption or mutual authentication. Without mutual authentication between the Supplicant and Authentication Server, attackers can insert themselves between the supplicant and the authenticator, potentially intercepting or altering communication.

It’s crucial to use stronger methods like EAP-TLS, which offers certificate-based mutual authentication. The EAP methods (EAP-AKA/AKA′/5G-AKA) for Wi-Fi Offloading using the device’s SIM credentials are also at the same security level as EAP-TLS. The legacy EAP-SIM protocol used for 2G/3G has weaker encryption than its successors. We recommend that EAP-SIM is not used.

 

Deployment and Configuration

Deploying 802.1x requires careful planning and configuration:

  • Infrastructure: Ensure that network devices, such as switches and access points, support IEEE 802.1x. Additionally, a robust RADIUS AAA server, such as Enea Aptilo SMP, is essential for handling authentication requests.
  • Configuration: Configure the authenticator devices to enable 802.1x on the relevant ports. Set up the RADIUS AAA server with the appropriate policies and credentials. Ensure that supplicants (client devices) are configured to support the required EAP method.
  • Testing: Before full deployment, conduct thorough testing to ensure that devices authenticate correctly and that the network behaves as expected under various scenarios.
  • Scalability: Consider the scalability of your IEEE 802.1x deployment. Load balancing across multiple RADIUS AAA nodes, including optional geographical redundancy and the use of high-availability configurations, will help ensure consistent performance.

MORE DETAILS IN OUR

IEEE 802.1x FAQ

Learn more details in our 802.1x frequently asked questions (FAQ) section below.

What is 802.1x?

802.1x is a network authentication protocol that provides port-based access control for wired and wireless networks. It ensures that only authorized devices can connect to a network by requiring authentication before granting network access.

What are the benefits of using 802.1x?

– Enhanced security by preventing unauthorized access to the network.
– Centralized user authentication and management.
– Support for various authentication methods (e.g., username/password, certificates, SIM).
– Ability to apply different network policies based on user identity.
– Improved network visibility and control.

How does 802.1x improve network security?

802.1x enhances network security by:
– Preventing unauthorized devices from accessing the network.
– Allowing for granular access control based on user identity and device type.
– Enabling centralized management of network access policies.
– Providing detailed logs of network access attempts for auditing purposes.

How is 802.1x involved in Wi-Fi traffic encryption (WPA2/WPA3)?

802.1x plays a crucial role in facilitating the encryption of Wi-Fi traffic through WPA2/WPA3, although it does not directly perform the encryption itself. Here’s how 802.1x is involved in the encryption process:

Authentication and Key Management
802.1x provides the authentication framework that enables secure key exchange for WPA2/WPA3 encryption:
– Authentication Process: 802.1x authenticates devices before granting network access, ensuring only authorized clients can connect.
– Key Distribution: Upon successful authentication, the 802.1x authentication server (typically a RADIUS server) returns a Master Session Key (MSK) to the access point.
– Dynamic Key Exchange: The access point uses the MSK to derive keys for the WPA2/WPA3 Enterprise encryption of the Wi-Fi network which is unique for each session.

Enabling Encryption
Once 802.1x authentication is complete, it sets the stage for WPA2/WPA3 encryption:
– Encryption Activation: After successful 802.1x authentication, the authenticator (access point) enables unique WPA2/WPA3 Enterprise encryption for the authenticated client.
– Key Derivation: The encryption keys for WPA2/WPA3 Enterprise are derived from the Master Session Key (MSK) received from the authentication server during the EAP authentication process.
– Continuous Key Rotation: In typical WPA2/WPA3 Enterprise implementations, clients can automatically change encryption keys as often as necessary, enhancing security.

WPA2/WPA3 Encryption
While 802.1X handles authentication and key management, WPA2/WPA3 performs the actual encryption:
– WPA2 Encryption: Uses the Advanced Encryption Standard (AES) with a 128-bit key and the Counter-Mode/CBC-Mac Protocol (CCMP) for robust encryption and data integrity.
– WPA3 Encryption: Builds upon WPA2 with stronger encryption and improved key management protocols.

It’s important to note the distinction between enterprise and personal modes:
– WPA2/WPA3-Enterprise: Utilizes 802.1x for authentication, providing unique credentials for each device and offering higher security control.
– WPA2/WPA3-Personal: Uses a pre-shared key (PSK) and does not involve 802.1x authentication.

In summary, 802.1x is not directly responsible for encrypting Wi-Fi traffic, but it provides the secure authentication and key management framework that enables WPA2/WPA3 to establish encrypted connections. This combination of 802.1x authentication and WPA2/WPA3 encryption creates a robust security solution for Wi-Fi networks.

What authentication methods does 802.1x support?

802.1x supports various Extensible Authentication Protocol (EAP) methods, including:
– EAP-SIM/AKA/AKA′/5G-AKA (SIM-based)
– EAP-TLS (certificate-based both for device and RADIUS server)
– EAP-TTLS (username/password with verification of RADIUS server certificate)
– PEAP-MSCHAPv2 (username/password with verification of RADIUS server certificate)

What is the role of a RADIUS server in 802.1x authentication?

The RADIUS server, such as the Enea Aptilo SMP, acts as the authentication server in the 802.1x process. It receives authentication requests from the authenticator, verifies the client’s credentials against a user database (e.g., Active Directory or an HLR/HSS in the mobile core), and sends back an accept or reject message. The RADIUS server can also provide additional authorization information, such as VLAN assignments or an access control list.

How does 802.1x differ from other network authentication protocols?

802.1x differs from other network authentication protocols in several key ways:
– Port-based access control: 802.1x provides port-based network access control, meaning it authenticates devices at the network port level before granting access to the network. This is in contrast to protocols that authenticate after a connection is established.
– Three-party authentication: 802.1x involves three main components in the authentication process: the supplicant (client device), the authenticator (network switch or access point), and the authentication server (typically a RADIUS server). This multi-party approach enhances security by separating the authentication decision from the network access point.
– Extensible Authentication Protocol (EAP) framework: 802.1x uses EAP to exchange messages during the authentication process, allowing for various authentication methods to be used within the same framework. This flexibility supports different security needs and can accommodate future authentication methods.
– Supports both wired and wireless networks: Unlike some protocols that are specific to either wired or wireless networks, 802.1x can be implemented on both Ethernet and Wi-Fi networks.
– Integration with RADIUS: 802.1x works with RADIUS servers, enabling centralized authentication and authorization management. This allows for more granular control over network access policies.
– Dynamic policy enforcement: 802.1x allows for the creation and enforcement of policies that can restrict access based on user roles or permissions, providing more fine-grained control over network resources.
– Session management: Unlike simpler authentication methods, 802.1x enables administrators to end sessions and remove users from the network dynamically, enhancing security when users leave or devices are compromised.

By combining these features, 802.1x provides a more robust, flexible, and secure authentication framework compared to many other network authentication protocols, making it particularly well-suited for service provider- and enterprise environments with diverse security needs.