Archive for 802.1x

How 802.1x Authentication Works

Posted in Security with tags , on May 8, 2009 by muhrizky

If anyone ever visit HowStuffWorks there we can find a lot of information about how objects work. Furthermore, in relation to understanding, the site gave me a good example to inform or explain something technical. In this massive information era, definition of terms is often too simple. But in my view, a simple explanation is not enough to make someone understood. In my opinion, human can be truely understand about technical terms and not to be abandon the words from brain memory, can be happen only if we are not just know what is this or what is that but we also need to know how this or that works accordingly.

802.1x in term of computer technique is a method for authenticate client, whether the network transmission come from a valid sender. 802.1x authentication can be implement to secure wireless networking. Derived from several resources, sometimes this method is also known as RADIUS authentication. But actually RADIUS is a server that provide the authentication services. 802.1x is also can be merge with Active Directory or Lightweight Directory Access Protocol (LDAP) to increase the security. Explanation below will describes how 802.1x authentication works in procedural process:

  1. Wireless client sends a request to wireless access point,
  2. Access point requests wireless client for its identity information,
  3. Wireless client sends the identity information to wireless access point,
  4. Wireless access point sends wireless client identity information to the RADIUS server,
  5. The RADIUS server verifies its connection request policies to check whether the wireless access point is valid,
  6. If the access point is valid, the RADIUS server checks its remote access policies to verify whether the wireless client is authorized,
  7. The client identity forward to the domain controller for authentication,
  8. The domain controller returns the result to the RADIUS server,
  9. RADIUS server analyzes its policies to specify constraint in case the wireless client is authenticated by the domain controller,
  10. If the client still valid, then the RADIUS server sends an acknowledgement message to access point, indicating the acceptance of the request,
  11. Once the access point receives the message, it generates WEP keys and forward the keys to the wireless client,
  12. Client uses the WEP keys to access the network.

Types of authentication method for the RADIUS itself can be:

  • Protected Extensible Authentication Protocol (PEAP-EAP): Client authenticate by validating certificate supplied from the server and acquire the master key.
  • PEAP-EAP-Microsoft Challenge Handshake Authentication Protocol (MSCHAPv2): Same as PEAP-EAP but the authentication process must also passed the Active Directory validation from domain controller.
  • Secure Socket Layer/Secure Shell (SSL/SSH): Creates a tunnel in a separate network layer for authentication.