Security | Vulnerability Scans and Assessment

Authentication Protocol: 802 dot 1x and EAP types for Wired and Wireless Authentication

dfg

This guide discusses some commonly employed authentication protocols. 802.1X was first developed for wireless networks and traffic analysis. Due to the fact wireless Local Area Networks (WLAN) are more volatile to attacks, as previous authentication methods and encryption were not strong enough, the need to develop a strong authentication method was developed to mitigate unauthorized access. Here the IEEE 802.1X was developed which is based on Extensible Authentication Protocol (EAP) thereby providing strong authentication encryption algorithms. You may also want to see the following guides: Unable to connect to Eduroam WLAN: WiFi Username remembered on MAC, how to install DHCP role on Windows Server, how to disable Network (Wireless) UI from the Welcome screen, and How to set up and configuring Cisco WAP 551 and WAP 561

Extensible Authentication Protocol: EAP protocol is an authentication protocol used to transport user credentials. EAP works on layer 2 (datalink layer) of the OSI model and ensures the elimination of duplicate and retransmission frames. EAP uses IEEE 802.1X that ensures user connection to a network after its authenticated. 

It supports so many authentication protocols as we will discuss below and operates on the datalink layer. It employs the usage of username, password and certificates for client authentication.  

EAP offers a platform for System/Network/Developers to create advanced authentication types that can be deployed into your existing organization. Here are the different types of EAP authentication methods.
Note: 802.1x employed EAP authentication over LAN (EAPoLAN or WLAN) and does not require an IP connectivity as this was the initial design method and supports reliable transmission of authentication protocol protocols

  1. EAP-Message Digest 5 (MD5):  This protocol hides user credentials in HASH formats before sending them to the server. This HASH is compared to a previously stored HASH on the server for correctness. This protocol is not interactive as the server validates the user credential. This EAP method is no longer secure because of its cryptographic weakness due to the advancement in attack techniques and computation hardware in exploiting a large number of passwords in few seconds.
  2. EAP-TLS: This protocol uses Transport Layer Security (TLS) handshake in rendering secure connection (authentication). It uses the X.509 and enables both the user and the server to establish a trust connection, unlike the EAP-MD5. This is a valid certificate type of authentication and it requires your client and server to possess a certificate for a joint (mutual) communication between each other; i.e. (they authenticate by exchanging certificates in both client and server respectively).

When the supplicant initiates a connection to join the network, the RADIUS server forwards a certificate to the supplicant which then performs these two steps namely.
– Firstly, the client checks to ensure the certificate is still valid by cross-checking the Certificate Revocation List (CRL), and secondly, it checks to see if the name on the certificate is the same as the RADIUS server.
– After this is done, the client (supplicant) will also forward its certificate to the RADIUS server to perform its own verification and if both checks are accurate, authentication will be granted. This protocol is often employed for BYOD deployment in our test laboratory.

This is often considered insecure as user identity credentials are transmitted in clear text before the exchange of certificates which is a back door for potential network attacks but has a very good cryptographic strength and also, all clients need to have certificates installed on them. This is why it is not mostly employed (used) in practice. The figure below shows a typical handshake and protocol flow of an EAP-TLS

Picture-1
 Typical protocol flow of an EAP-TLS

These are the information contained in both the server and client communication listed below.
Protocol Version: This is the version of TLS protocol both the server and the client use in communication throughout the entire period.
Random: This contains the current information such as the date and time of communication and 28-byte data generated by both the server and the client.
Session ID: This is the session identity numbers both the client and the server choose to use for communication.
Cipher Suite: Among the ciphers present, alone cipher suite is selected from the clients and server hello messages.
Compression Method: Alone compression algorithm is selected by both (differently) as well from the table of compression methods available to them

EAP Tunnelled Types: These types of EAP protocol create encrypted tunnels, employ the created encrypted tunnel in sending user credentials.

A) Protect EAP (PEAP): This is the most widely used. They were developed also with EAP-TTLS due to the impediment of Public Key Infrastructure (PKI) in EAP-TLS as client certificates are required for authentication (Client certificates are not necessary for authentication in both EAP-TTLS and PEAP).PEAP uses two additional authentication types after successfully establishing a secure tunnel; EAP uses Inner Method to ensure the user is authenticated with EAP Outer Method.

  • EAP-MSCHAPversion2:  EAP-MSCHAPv2 is an inner method employed by EAP to authenticate a user. The user credentials are transported in an encrypted format in an EAP-MSCHAPv2 session running. This authentication protocol uses the credentials (password) of domain users. The Authenticator server (RADIUS server) has a certificate installed on it and forwarded to the client.
  • PEAPGTC (Generic Token Card): Developed as a possible alternative to MSCHAPv2 to any type of authentication server such as LDAP etc.
  • PEAP -TLS: This inner method of authentication is not commonly employed and can be used as an inner authentication method for PEAP.
  • PEAP -MSCHAPv2: As described previously, PEAP is used to establish a secure tunnel between the client and the RADIUS server, and this tunnel is established with the certificate of the authentication server and this is pushed to the client as it attempts to connect to the network. PEAP-EAP-MSCHAPv2 is really not too secure as it is password-based and can be attacked, to mitigate against this attack, but when used with PEAP, it enables a secure connection of credentials to be encrypted and decrypted. 

B) EAP-TTLS: More widely used than PEAP, they were developed to deliver authentication protocol as secure EAP-TLS. In EAP-TTLS, certificates are not installed on the user machine but on the authentication server. EAP-TTLS method is supported by all PEAP authentication methods as well as old authentication methods such as PAP, CHAP, MS-CHAP, and MS-CHAP-V2. 
– EAP-TTLS is also used because it allows authentication against LDAP due to PAP in the inner tunnel.

Note: This is the protocol employed by me in this project because of it flexibity in supporting all authentication methods.

The differences between PEAP and EAP-TTLS are EAP-TTLS are available in the market by different vendors and the software supports a lot of operating systems while PEAP are still are not freely available and it supports few operating systems. The table below is a comprehensive view of the different protocols.

   EAP-TLS
 (RFC 2716)
TTLS
 (Internet Draft)
PEAP (INTERNET Draft)
Areas of Application   
Supported PlatformsLinux, Mac and WindowsLinux, Mac and WindowsWindows, Linux, and Mac
Authentication TechniqueClients certificatesCertificates or PasswordsUses any of the EAP methods
Protocol StructureTLS section created and certificates are validated on both clients and serverTwo steps are required,
(A) it establishes TLS between client and the TTLS server and (B) attribute pairs are exchanged between the client and server
Two steps are required,
(A) It establishes TLS with the client and PEAP server and
(B) EAP protocol exchange comes to play over TLS tunnels.
Session Fast ReconnectNoYesYes
Server CertificateYesYesYes
Client CertificateYesNot mandatoryNot mandatory
Authentication DirectionUses certificate in both directions (Mutual)  Uses certificates for server authentication and tunneled methods for users (Mutual)Uses Certificates for server and uses any of the EAP methods for users (Mutual)
Protection of user identity exchangeNoYes by TLSYes by TLS
Key Compromise EffectCertificates are re-issued to both Server and ClientsCertificates are re-issued to servers alone and also re-issued to clients if using TLS exchange 

C) EAP-FAST: Flexible Authentication with Secure Tunnel (FAST) protocol was designed by Cisco as an option for PEAP with great support for re-authentication and rapid roaming of wireless users. This protocol works in a similar manner as PEAP but with enhanced functionality in employing the Protected Access Credentials (PAC), which is often referred to as a secure cookie used is specifying a user authentication and stored on the user machine. They utilize the same inner authentication methods as described for PEAP such as MSCHAPv2 etc. This is cisco’s proprietary protocol.
D) EAP Chaining with EAP-FASTv2: This was designed to enhance the functionalities not available in PEAP. This authentication protocol, this protocol uses a machine PAC and user PAC for authentication. This involves the use of more than one protocol for EAP authentication and it is therefore referred to as EAP chaining.
E) Employing Extensible Authentication Protocol (EAP): As described above, they are employed to authenticate both wireless and wired clients (supplicants). This is used by suppliants to authenticate to the RADIUS server, thereby granting the user network access (enabling the password and username prompt). This is defined by RFC 3748. 802.1X uses EAP as it does not need to communicate using an IP address and supports reliable connection and retransmission.

Advantages of using EAP Protocol: Here are some vital reasons why EAP protocol are often used.
– It fosters the use of multiple authentication protocols without predefining a specific one to use.
– EAP enables network access devices (authenticator) to act as a pass-through to the authenticator server without a need to understand the protocol it is using; this separation of duties helps in administering the credentials.

Note: EAP has so many features, as it can be used to support a defined authentication protocol for your organization. Authentication servers request additional information to determine the protocol used for authentication and EAP provides this functionality.

  1. Password Authentication Protocol (PAP): This protocol sends username and password in plain text. This protocol is often used in MAB and Web authentication. This password can be configured and sent in an encrypted format. And if you bind against an LDAP server, the password must be in a plain format. 
  2. Challenge Authentication Protocol (CHAP): This protocol sends the username and password in an encrypted format using a challenge initiated from the server.

Wired Authentication: See the figure below on how wired clients are authenticated and granted access to the network. Before network access is granted, the host can only communicate with the switch using the Extensible Authentication Protocol over LAN (EAPoLAN) for 802.1x communication to begin. The figure below shows a structure of an EAPoL packet. Other protocols allowed alongside EAPoL are Cisco Discovery Protocol (CDP) and Spanning Tree Protocols (STP).  

Picture-1-1

After the host successfully authenticates, other network traffic (IP) will then be allowed and routed to and from the client and server. Here, the host (supplicant) sends traffic to the authenticator using Extensible Authentication Protocol over LAN (EAPoLAN) then the authenticator will then transfer these traffics to the RADIUS Server. After processing, the radius server communicates with the authenticator and uses the Internet Protocol (IP), this provides a secure authentication protocol delivery, thereafter granting the network device access to the network. The switch act as an intermediary distributing the EAPoLAN frames between the client and the server pending the outcome of the authentication request. If 802.1X is not enabled on the client’s PC, the EAPoLAN frames will be dropped. The colors used in the figure above enable you to follow the sequences of EAPoL in your organization.

  • Red: Represents the supplicant response during the entire authentication process.
  • Green: Denotes the server response to the authentication during the entire process and
  • Blue: Shows all request sent both to the client and the RADIUS server during the entire authentication process. 

The authenticator makes the EAP request and only the authentication request to connect to the network is initiated by the client. Also, all RADIUS server responses here are to the switch alone and not the client. The authenticator alone communicates with the client.

EAPoL FRAME ARCHITECTURE: The EAPoL frames arrive on the switch to be sent to the RADIUS server,  (the switch here acts as an intermediary between the supplicant and the server) the EAP frame header is stripped off while the EAP frame is re-encapsulated in the RADIUS address format to be sent to the RADIUS server. These EAP frames themselves are not modified during encapsulation, and the RADIUS server should also support EAP. The RADIUS server then sends the frame back to the switch, here the RADIUS frame header is stripped off and the EAP frame is then encapsulated for IP traffic communication to the host (supplicant). See the figure below on how the structure of EAPoL.

Picture-m1
A typical structure of an EAPoL packet

The above diagram shows the EAPoL frame structure in which the switch communcates with the client. Before granting the authentication request as discussed above which allows communication of any protocol, only these EAPoL frame (packet) types  can be sent from the switch  or access point to the client, They are as follows

  • EAPoL-Packet: Used in Identifying the packet as EAP
  • EAPoL-Start: Used in initiating an 802.1x authentication request.
  • EAPol-Logoff: Used in terminating EAPoL session.
  • EAPoL-Key: Used in exchanging keys between the switch and the client.
  • EAPoL-Encapsulation-ASF-Alert: Used for sending SNMP traps.

Wireless Authentication: The figure below displays how wireless clients can connect to the organization network. It’s the same process as described above but uses EAPoWLAN to communicate with the Authenticator (AP). The supplicants use EAPoWLAN to establish a wireless connection and authenticate with the Access Point (AP) before it can connect to the network after finalizing the authentication request

Picture-cc1

Note: This EAPOL authentication for wired clients is almost similar to the wireless clients (supplicants), the major difference here is that for wired clients, they use the switch as their authenticator while fore wireless clients, use the WLC as their authenticator. Note: In the figure above, the AP is not the authenticator as it is a lightweight AP having no IOS in it. 

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x