Email This Page
IEEE 802.1X: EAP over LAN (EAPOL) for LAN/WLAN Authentication & Key Management
The IEEE 802.1X offers an effective framework for authenticating and controlling user traffic to a protected network, as well as dynamically varying encryption keys. 802.1X ties a protocol called EAP (Extensible Authentication Protocol) to both the wired and wireless LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication.
In the 802.1x architecture, there are three key components: 1) Supplicant: the user or client that wants to be authenticated; 2) The authentication server, typically a RADIUS server; 3) The authenticator: the device in between, such as a wireless access point, which can be simple and dumb.
The key protocol in 802.1x is called EAP over LANs (EAPOL). It is currently defined for Ethernet-like LANs including 802.11 wireless, as well as token ring LANs (including FDDI). The operation process in 802.1X is as follow:
- The supplicant (such as a client wireless card) sends an "EAP-Response/Identity" packet to the authenticator (such as 802.11 access point), which is then passed on to the authentication server (RADIUS server which is located at the wired side of the access point).
- The authentication server sends back a challenge to the authenticator. The authenticator unpacks this from IP and repackages it into EAPOL and sends it to the supplicant.
- The supplicant responds to the challenge via the authenticator and passes the response onto the authentication server. The authentication server uses a specific authentication algorithm to verify the client's identity. This could be through the use of digital certificates or other EAP authentication type.
- If the supplicant provides proper identity, the authentication server responds with a success message, which is then passed onto the supplicant. The authenticator now opens port for the supplicant to access to the LAN based on attributes that came back from the authentication server.
The 802.1X (EAPOL) protocol provides effective authentication regardless of whether you implement 802.11 WEP keys or no encryption at all. If configured to implement dynamic key exchange, the 802.1X authentication server can return session keys to the access point along with the accept message. The access point uses the session keys to build, sign and encrypt an EAP key message that is sent to the client immediately after sending the success message. The client can then use contents of the key message to define applicable encryption keys.
802.1X (EAPOL) is a delivery mechanism and it doesn't provide the actual authentication mechanisms. When utilizing 802.1X, you need to choose an EAP type, such as Transport Layer Security (EAP-TLS) or EAP Tunneled Transport Layer Security (EAP-TTLS), which defines how the authentication takes place. The specific EAP type resides on the authentication server and within the operating system or application software on the client devices. The access point acts as a "pass through" for 802.1X messages, which means that you can specify any EAP type without needing to upgrade an 802.1X-compliant access point.
Protocol Structure - IEEE 802.1X: EAP over LAN (EAPOL) for LAN/WLAN Authentication & Key Management
EAPOL Frame Format for 802.3/Ethernet: