The Cable Guy - April 2002

IEEE 802.1X Authentication for Wireless Connections

By The Cable Guy

The IEEE 802.1X standard defines port-based, network access control that is used to provide authenticated network access for Ethernet networks. Port-based network access control uses the physical characteristics of a switched LAN infrastructure to authenticate devices that are attached to a switch port. The ability to send and receive frames using an Ethernet switch port is denied if the authentication process fails. While this standard is designed for wired Ethernet networks, it has been adapted for use on IEEE 802.11 wireless LANs. Windows XP supports IEEE 802.1X authentication for all LAN-based network adapters, including Ethernet and wireless.

IEEE 802.1X defines the following terms:

• Port access entity
• Authenticator
• Supplicant
• Authentication server

Port Access Entity

A port access entity (PAE), also known as a LAN port, is a logical entity that supports the IEEE 802.1X protocol that is associated with a port. A LAN port can adopt the role of authenticator, supplicant, or both.

Authenticator

An authenticator is a LAN port that enforces authentication before allowing access to services that are accessed through the port. For wireless connections, the authenticator is the logical LAN port on a wireless access point (AP) through which wireless clients, operating in infrastructure mode, gain access to the wired network.

Supplicant

The supplicant is a LAN port that requests access to services that are accessed through the authenticator. For wireless connections, the supplicant is the logical LAN port on a wireless LAN network adapter that requests access to the wired network. It does this by associating with, and then authenticating itself to, an authenticator.

Whether they are used for wireless connections or wired Ethernet connections, the supplicant and authenticator are connected by a logical or physical point-to-point LAN segment.

Authentication server

To verify the credentials of the supplicant, the authenticator uses an authentication server. The authentication server checks the credentials of the supplicant on behalf of the authenticator, and then responds to the authenticator, indicating whether or not the supplicant is authorized to access the authenticator's services. The authentication server might be:

• A component of the AP.

  The AP must be configured with the sets of user credentials that correspond to the clients that are attempting to connect. This is typically not implemented for wireless APs.

• A separate entity.

  The AP forwards the credentials of the connection attempt to a separate authentication server. Typically, a wireless AP uses the Remote Authentication Dial-In User Service (RADIUS) protocol to send the connection attempt parameters to a RADIUS server.

Controlled and Uncontrolled Ports

The authenticator's port-based, access control defines the following types of logical ports, which access the wired LAN through a single, physical LAN port:

• Uncontrolled port

  The uncontrolled port allows an uncontrolled exchange of data between the authenticator (the wireless AP) and other networking devices on the wired network, regardless of any wireless client's authorization state. A good example of this is the exchange of RADIUS messages between a wireless AP and a RADIUS server on the wired network, which provides authentication and authorization of wireless connections. Frames that are sent by the wireless client are never forwarded by the wireless AP through the uncontrolled port.

• Controlled port

  The controlled port allows data to be sent between a wireless client and the wired network, but only if the wireless client is authenticated. Before authentication, the switch is open and no frames are forwarded between the wireless client and the wired network. After the wireless client is successfully authenticated using IEEE 802.1X, the switch is closed and frames are forwarded between the wireless client and nodes on the wired network.

The relationship of the controlled and uncontrolled port for a wireless AP is shown in the following figure.

If your browser does not support inline frames, click here to view on a separate page.

On an authenticating Ethernet switch, the wired Ethernet client can send Ethernet frames to the wired network as soon as authentication is completed. The switch identifies the traffic of a specific wired Ethernet client by using the physical port to which the Ethernet client is connected. Typically, only a single Ethernet client is connected to a physical port on the Ethernet switch.

Because multiple wireless clients contend for access to and send data using the same channel, an extension to the basic IEEE 802.1X protocol is required to allow a wireless AP to identify the secured traffic of a specific wireless client. This is done through the mutual determination of a per-client unicast session key by the wireless client and wireless AP. Only authenticated wireless clients have a correctly determined per-client unicast session key. Without a valid unicast session key tied to a successful authentication, frames that are sent by an unauthenticated wireless client are silently discarded by the wireless AP.

Extensible Authentication Protocol

To provide a standard authentication mechanism for IEEE 802.1X, IEEE chose the Extensible Authentication Protocol (EAP). EAP is a Point-to-Point Protocol (PPP)-based authentication technology that was adapted for use on point-to-point LAN segments. Because EAP messages were originally defined to be sent as the payload of PPP frames, the IEEE 802.1X standard defines EAP over LAN (EAPOL), which is a method of encapsulating EAP messages so that they can be sent over Ethernet or wireless LAN segments.

For the authentication of wireless connections, Windows XP with Service Pack 1 (SP1) and Windows XP with Service Pack 2 (SP2) can use the EAP-Transport Layer Protocol (EAP-TLS) or the Protected EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2). For more information about PEAP-MS-CHAP v2, see PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access. Windows XP with no service packs installed supports only EAP-TLS.

EAP-TLS is defined in RFC 2716 and is used in certificate-based security environments. The EAP-TLS exchange of messages provides mutual authentication, integrity-protected cipher suite negotiation, and mutual determination of encryption and signing key material between the wireless client and the authenticating server (the RADIUS server). After authentication and authorization, the RADIUS server sends the encryption and signing keys to the wireless AP by using the RADIUS Access-Accept message.

EAP-TLS, with registry-based user and computer certificates, is the recommended authentication method for Windows XP-based wireless connectivity for the following reasons:

• EAP-TLS does not require any dependencies on the user account password.
• EAP-TLS authentication occurs automatically, with no intervention by the user.
• EAP-TLS uses certificates, providing a strong authentication scheme.

Windows XP Support for IEEE 802.1X

In Windows XP, IEEE 802.1X authentication with the EAP-TLS authentication type is enabled by default for all LAN-based network adapters. To configure 802.1X authentication settings on a computer running Windows XP with SP1 or Windows XP with SP2, use the Authentication tab on the properties of a wireless network, available from the Wireless Networks tab of the properties of a wireless connection in Network Connections.

The Authentication tab for a wireless network is shown in the following figure.

To configure 802.1X settings for an Ethernet adapter or for a wireless adapter in a computer running Windows XP with no service packs installed, use the Authentication tab on the properties of the Ethernet or wireless connection in Network Connections.

On the Authentication tab, you can configure the following:

• Enable IEEE 802.1x authentication for this network This check box specifies whether you want to use IEEE 802.1X to perform authentication for this wireless network. This option is enabled by default.

  A Windows XP LAN connection sends three EAP-Start messages in an attempt to prompt the authenticator (the Ethernet switch or wireless AP) to begin the EAP-based authentication process. If an EAP-Request/Identity message is not received, IEEE 802.1X authentication is not required for the port and the LAN connection sends normal traffic to configure network connectivity. If an EAP-Request/Identity message is received, IEEE 802.1X authentication begins.

  Therefore, for an Ethernet LAN connection, leaving this setting enabled when the Ethernet switch does not support IEEE 802.1X does not impair connectivity. However, disabling this setting when the Ethernet switch requires IEEE 802.1X authentication will impair network connectivity.

• EAP type You can use this option to select the EAP type to use for IEEE 802.1X authentication. The list corresponds to the EAP dynamic link libraries (DLLs) installed on the computer. The default EAP types are Smart Card or other Certificate and Protected EAP (PEAP). The Smart Card or other Certificate type is for EAP-TLS and is selected by default.

• Properties Click to configure the properties of the selected EAP type.

• Authenticate as computer when computer information is available This check box specifies whether the computer attempts to authenticate using computer credentials (such as a computer certificate), without the user logging on. This option is enabled by default.

• Authenticate as guest when user or computer information is unavailable This check box specifies whether the computer attempts to authenticate as a guest when either user or computer credentials are not available. This option is disabled by default.

The properties of the Smart Card or other Certificate Properties EAP type (corresponding to EAP-TLS) is shown in the following figure.

From the Smart Card or other Certificate Properties dialog box, you can view and configure the following:

• When connecting To use the certificate on a smart card, click Use my smart card. To use a certificate in the Current User or Local Computer certificate store for authentication, select Use a certificate on this computer. By default, Use a certificate on this computer is selected. Windows XP with no service packs installed does not support the use of smart cards for secure wireless authentication.
• Use simple certificate selection This check box enables and disables simple certificate selection. When enabled, Windows attempts to simplify the list of certificates with which the user is prompted for selection. The certificates that are usable for EAP-TLS authentication are grouped by the entity that was issued the certificate based on the Subject Alternative Name and Subject fields of the certificates. The most recently issued certificate from each group is used to create the list that is presented to the user. Simple certificate selection is only used when Use a certificate on this computer is selected. When Use a certificate on this computer is selected, simple certificate selection is enabled by default.
• Validate server certificate This check box specifies whether you want to validate the computer certificate of the authenticating server (typically a RADIUS server). This option is enabled by default.
• Connect to these servers You can specify by name the RADIUS servers that are providing authentication and authorization for the connection. If you specify server names, they must exactly match the server name in the Subject field of the RADIUS server's certificate. Use semicolons to specify multiple RADIUS server names. By default, there are no server names.
• Trusted Root Certification Authorities This list box allows you to select multiple trusted root CAs from which the wireless client will accept for the certificate of the RADIUS server.
• View Certificate This allows you to view the properties of the root certificate currently selected in the Trusted Root Certification Authorities list.
• Use a different user name for the connection This check box specifies whether you want to use a user name for authentication that is different from the user name in the certificate. This option is disabled by default. If it is enabled, you are prompted with a dialog box to select a user certificate, even if only one user certificate is installed. The selected certificate is used until the Windows XP user session has ended.

For More Information

For more information about IEEE 802.11 and 802.1X support in Windows XP, see the following resources:

• IEEE 802.11b Wireless Networking Overview (Cable Guy article for March 2002)
• Wireless Deployment Technology and Component Overview
• PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access (Cable Guy article for July 2002)
• Microsoft Wireless Networking Web site

For a list of all The Cable Guy articles, click here.