802.1x components

Posted June 28th, 2007 by sean

The “802.1x” standard allows authentication of devices in LAN or Wireless networks, using cryptographic techniques to provides higher security. 802.1x can authenticate the user or the device.

FreeNAC includes 802.1x since V2.2.

802.1x and MAC address identification can be combined, by for example authenticating the user via Windows Domain Logon and using the end-device MAC address for Vlan assignment.

The following diagram shows the components involved in 802.1x authentication.

802.1x Components

The VMPS/MAC based components (vmpsd_external, postconnect) are documented in the VMPS section.

rad2vmps

A Perl script 'rad2vmps' is called from FreeRadius, that accepts a MAC address and returns the Vlan to be assigned to the supplicant. This script queries the FreeNAC database of MAC addresses via the VMPS protocol.

802.1x problems

802.1x provides key advantages such as added security and a consensus that long term it is 'the way to go', but keep in mind some of the limitations when choosing 802.1x over VMPS in the short term.

  • New(er) switches are usually required (e.g. 2006 or later)
  • Vendor interoperability is a problem, each implements their own additional radius fields.
  • Its a complex protocol: it is slower (due to the amount of data exchanges, the number of handshakes and encryption), difficult to analyse and support (due to the complexity of handshakes).
  • Supplicants (the 802.1x client) are delivered with some Operating Systems but not with others. In Windows, depending on patch level/Service pack, it may work fine. 3rd party supplications are available but usually are not free and require configuration, suppport and distribution.
  • Certificate (PKI) management: generating and checking signatures is normally easy enough, but how do you distribute, revoke and check for revoked certificates? How large are CRLs, how/where are they managed/downloaded?
  • Interaction with Hubs, un-managed switches and Virtual Machines in bridged mode can be problematic, as 802.1x usually expects only one end-device per port.
  • Cost: due to the above and the cost of a commercial Radius server (if you don't use a free alternative such as FreeRadius/FreeNAC)
‹ 802.1xupGeneration of computer certificates with a Winbugs CA ›