802.1x Authentication is used to provide a Robust security network association.
In 802.1x Authentication, we need to understand the below terminology.
1) Supplicant
2) Authenticator
3) Authentication Server
The user device and the Authenticator use Extensible Authentication Protocol(EAP) for communication.
The Authenticator and the Authentication server use the Remote Authentication Dial-In User Service (Radius) protocol for communication.
Supplicant: The user device (like Laptop), which provides User credentials to the Authenticator, gets network access if the user credentials are valid. The user credentials can be username & password/certificates.
Authenticator: Gets the information (User credentials) from the user device using EAP protocol and forwards it to the Authentication server using Radius Protocol. The Authenticator is an access point or Controller in the wireless network.
Authentication Server: Validates user credentials—Radius-Accept message sent to the Authenticator if user credentials are valid, else Radius-Reject.
Suppose a user device is associated with an access point broadcasting 802.1x SSID. In that case, only EAP traffic is processed and forwarded to the authentication server until the user device is Authenticated & Authorized.
We hear the Controlled port and Uncontrolled port terms regarding 802.1x Authentication.
Uncontrolled Port: This is when the user's device is unauthenticated & unauthorized. Only EAP traffic is processed and forwarded by Authenticator.
Controlled Port: The user device is Authenticated & Authorized to have network access.
Below is the EAP & Radius Frame flow for EAP-TLS.
EAP-PEAP & EAP-TLS are the authentication method normally used in enterprise networks.
802.1x authentication process starts when the user device sends an EAPOL Start or Authenticator (Access point) sends an EAP-Identity request.
The user device responds to EAP-Identity Request with EAP-Identity response which contains user Identity.
The Authentication Server Proposes Authentication Method, for example, EAP-PEAP or EAP-TLS in its Radius Access-challenge. The authenticator will send the proposal to the user device as EAP-request.
Radius Access challenge screenshot showing the Authentication Method Proposed.
EAP-Request showing Authentication method type.
The user device responds with Client hello with the list of CIPHER SUITES the user device supports. The Authentication server selects a cipher suite so the user device and server will use it to communicate.
The user device receives an EAP-request, which contains the Server certificate, Public key, Time validity of certificate... details about the certificate, which may help troubleshoot the authentication issues.
Note: Microsoft windows 802.1x supplicant (as of today) does not support wildcard server certificates.
For example, if we see the server certificate has common-name *. wirelessbuddies.com windows 802.1x supplicant client devices authentication will fail. You will not see any authentication issues with IOS or Andriod devices with the same server certificate.
The user device validates the server certificates. If the server certificate is valid, the user device presents the client certificate to the Authentication Server in the EAP-TLS Authentication Method.
Note: I did not show the Public Key information in the Server certificate and client certificate screenshot. It will not help in any way for troubleshooting any authentication issues.
After Authenticating the user, the last EAP frame will be a success or failure.
If the Authentication is successful, the user device and Authenticator go for a 4-way handshake.
A sample screenshot for EAP-TLS Authentication Wireshark captures.
In EAP-PEAP with inner method Ms-chapv2, all the above frame exchanges are the same till the Server certificate. After the server certificate is received, the client validates the server certificate. If the Server certificate is valid client sends the public key and "Change Cipher Spec."
The “Change Cipher Spec” message lets the other party know that it has generated the session key and will switch to encrypted communication.
After the "Change Cipher Spec" message from the user device and the Authentication Server, a secure Tunnel is formed.
The user credentials are sent to the Authentication server in the Secure TLS Tunnel and verified by the Authentication server.
If Authentication successful, the Authentication server sends Radius Access-Accept or Radius Access-Reject to Authenticator.
The authenticator will send EAP-Success or EAP-failure based on Radius Access-Accept or Radius Access-Reject, respectively.
EAP-PEAP with Inner Method Ms-ChapV2 validation of server certificate on the User-device plays a vital role in securing the network.
If a valid server certificate is unchecked, then the device is easy to prone Man in the Middle (MITM) attack by placing Rogue radius server and acquiring username and password details of the users.
