Securing network interfaces is another important security best practice. In this video, you’ll learn about EAP, IEEE 802.1X, and more.
One security challenge we have in many organizations is port security. This refers to the security on the individual interfaces that are on a switch or connections to a wireless access point. You may have even used port security without even knowing it. If you connect to a wired or wireless network and it first prompts you for a username and password, you may have taken advantage of this type of security.
This is a very effective way to secure a wireless network, because it provides authentication before anybody can access the resources on that wireless connection, but this is not limited to wireless networks. You can also implement port security on traditional switches.
Behind the scenes, the protocol that allows this port security to operate is called EAP. This is the Extensible Authentication Protocol, and it’s a framework for authentication that can be applied to many different types of networks and connections. This means, if you’re a wireless manufacturer, you can create an EAP configuration that works with your wireless access point. And if you create wired switches, you can enable EAP on that wired switch and integrate all of them together.
The most common integration of EAP is with 802.1X. This is an IEE standard that manages the authentication process for users and devices onto your network. Sometimes you’ll hear 802.1X referred to as NAC or Port-based Network Access Control. If you were to plug into an available interface that’s on a switch, you would not be able to access the network that’s on that switch until you authenticated using 802.1X.
EAP and 802.1X work together so that you can provide login credentials, and then have those credentials provide you with access to the network. You’ll often see these used in conjunction with other types of authentication protocols, or databases, such as, RADIUS, LDAP, TACACS+, Kerberos, and others.
This is usually a process that involves three separate components. One of the components is the end user or client. We refer to this device as the supplicant. There’s also usually a switch or access point that you’d like to gain access to, we refer to this as the authenticator. There’s also usually a back-end database that contains all of these login credentials. This might be an existing Active Directory database that you can access with Kerberos, or LDAP, or you might have a RADIUS, or a tacacs database. We refer to this as the authentication server.
When the supplicant first connects to the network, there’s no authentication, and the authenticator will not allow any access to the network until the authentication is complete. Once the authenticator sees this initialization, it sends a message back to the supplicant asking for login credentials. We refer to this request from the authenticator as the EAP request.
The supplicant provides an EAP response with the name of the device trying to access the network. That request is passed from the authenticator to the authentication server. And if the authentication server is accepting logins, it will send a request back to the authenticator asking for additional details that can be used for authentication.
The authenticator sends a request for those additional details to the supplicant, and then the supplicant provides the credentials required to log in to this network. The final step will be to confirm that these login credentials are correct. The authenticator then sends those credentials to the authentication server. And if the username and password and other login credentials match, the authentication replies with successful login and tells the authenticator to allow that user access to the network.