Sean Barr, LookingPoint Founder and CEO: “Through the use of technology, we enable our customers to achieve improved productivity, growth and empowerment of business.”

LookingPoint is a solution provider specializing in advanced IT infrastructure, such as professional services, managed services, project management, and hardware procurement. LookingPoint’s customers, however, do not view it as typical solution provider. The company builds strong and lifelong partnerships by integrating closely with clients as an extended member of their IT team. LookingPoint successfully designs, implements and manages advanced IT solutions.

LookingPoint’s expertise centers on collaboration, security, and networking. This technology alignment allows us to provide a consistent end-user and customer experience. By leveraging LookingPoint, your organization will have the time to focus on specific business initiatives that will drive innovation and streamline your company’s path for success.

Q. What is 802.1X?

The first thing that should be understood about 802.1X is that it is not a single thing or protocol.  Furthermore, 802.1X itself is a component of an even larger system of network access controls, commonly referred to in the industry as NAC solutions.  Cisco ISE is an example of one such NAC system.  802.1X is a network level authentication and authorization framework that serves as a fundamental component of any comprehensive NAC solution. This 802.1X authentication framework involves a system of hardware/software components and protocols.  IP networks employ 802.1X for the purpose of requiring endpoint users and/or endpoint devices to authenticate themselves before being granted (potentially) differentiated levels of access to a wired or wireless network connection.

A Supplicant is a piece of software running on an endpoint.  The supplicant is responsible for providing the user/device authentication credential to the authentication server.  This credential is provided, by the supplicant, to the Authenticator via the Extensible Authentication Protocol (EAP).  EAP is a link local protocol (meaning it is only transmitted over the direct link between two devices; an endpoint and a switch or an endpoint and a wireless AP/controller).  As such, it is the authenticators role to proxy this EAP data from the supplicant to the authentication server using RADIUS encapsulation, which is a routable protocol capable of being transmitted to any reachable destination on an IP network.  Authentication Servers are responsible for validating/authenticating the credential received in the RADIUS message and returning an authorization result back to the authenticator.  The credential presented to the authentication server can be representative of the device or user requesting connection to the network, or in some case, both. 

Identity Sources are identity stores/directories that an authentication server (Cisco ISE) can use to validate authentication credentials provided by the supplicant.  Additionally, they can be used to retrieve additional attributes (such as Windows Security Group membership in the case of Microsoft AD) to make decisions about what permissions the endpoint should have on the network (otherwise put --> what they are authorized to do).  While Cisco ISE can host an internal user/endpoint directory, it is most common that an existing directory/identity store will be leveraged for user authentication and attribute retrieval.

EAP Authentication Identities

Authenticate all the things! An endpoint provides its network access credential to the authentication server (by way of the authenticator) in order to authenticate itself to the network.  The type of authentication credential presented will depend upon the configuration of the supplicant software running on the endpoint device.  Some of the configuration parameters implemented on the supplicant define the EAP authentication type for a given network adapter (the network adapter could be wired or wireless).  In order to provide useful implementation details, the scope of this blog is limited to the most common EAP types deployed on the most common endpoint OS used by our customers, Microsoft Windows. 

Microsoft Windows OS is unique (in a good way!) in regards to how they have chosen to implement their 802.1X identities.  Unlike any other operating system, Microsoft Windows provides the ability to use a unique authentication credential for the machine (when no user is logged into Windows) and a separate, user specific authentication credential for the user who is logged into Windows. 

Selecting an EAP Type

This is not an exhaustive list of EAP types for Microsoft Windows, but what follows will be on the short list for your deployment.  The big question to ponder is what type of authentication credential do you want to use in your deployment; certificate based or username/password based?  Certificates credentials are more secure than usernames/password credentials (these are still secure, but not as secure).  Usernames/password credentials are much easier to implement and maintain than certificate credentials.  If you don’t already have a PKI system deployed, your barrier to entry for 802.1X is higher for certificate based vs. username/password-based credentials.  In the end your organization will determine if you value better security or simplified operations more when making this decision.

The EAP Tunnel

As it currently stands, there is only one industry standard EAP tunnel type implemented by the native 802.1X supplicant software embedded with the major operating systems; Protected EAP or PEAP.  With PEAP, the outer EAP tunnel is encrypted using TLS by way of the authentication server certificate.  You can think of this secure tunnel being established in much the same way that your secure tunnel is established to your online banking website.  When you connect to your banks website, the website presents its security certificate, if your browser trusts the issuer of the bank website certificate, an encrypted tunnel to the website is established and you continue onto enter your credentials.  In this analogy, the credentials you enter into your bank website are analogous to the inner EAP credentials in 802.1X.  The major takeaway here is that even if you choose to deploy MSCHAP-V2 with usernames/passwords, you’ll still have at least one certificate that needs to be issued to the authentication server that all of your EAP supplicants trust.

Sean Barr, Founder and CEO

“We are strategically aligned with companies that enable your core infrastructure, such as Cisco, VMware, and Rubrik.”