IEEE 802.1X Standard and EAP Authentication Schemes
Abstract
Authentication risks are common reasons why network users are left frustrated when attackers exploit vulnerabilities. With increasing number of network attackers, there is a necessity for reliance on authentication technologies that offer the greatest efficiency in terms of denying access to unauthorized users. IEEE 802.1X and Extensible Authentication Protocol play a major part in mitigating authentication risks including providing a framework for handling issues such as changing of password by attackers, strong credentials in unprotected networks and the risk of re-using a single password for a longer-than-safe duration.
Introduction
Whenever cybercriminals exploit vulnerabilities in systems, users often suffer a myriad of consequences including a loss of integrity, loss of availability of network and other computer resources and loss of privacy of data. With increasing number of network attackers, there is need for reliance on authentication technologies that offer the greatest efficiency in terms of denying access to unauthorized users. Such is the strength of IEEE 802.1x and Extensible Authentication Protocol are two of the most effective authentication schemes that play a major part in mitigating authentication risks. Such risks include changing of password by attackers, weak credentials in unprotected networks and the risk of re-using a single password for a long duration. However, with mutual agreement mechanisms and the capability to deny unauthorized access denied provided by IEEE 802.1x and EAP schemes, it is imperative to rely on the two schemes to provide secure information access. This paper, therefore, discusses the role of the IEEE 802.1x and EAP is improving the authentication process.
Background of EAP and IEEE 802.1x Standards
IEEE 802.1X is a standard that utilizes a port-centered network access control in order to afford authentication structures for devices that are attached to a local network. The standard works with EAP framework to prevent the risks of security breaches to the information exchanged between two parties. The 802.1X standards has three elements that include the authenticators, supplicant and the authentication server relied upon to reduce authentication risks. The supplicant is the device that is attached to the local area network and is responsible for providing the necessary authentication information to the authenticators. The authenticators on the other hand is the network devices such as a wireless access point while the authenticator server accommodates the EAP frameworks.
The purpose of the authenticator is that it facilitates protection by acting as the guard to the network over which exchange of information takes place. This implies that the authenticator is responsible for validating the credentials of the supplicant such that in the case of suspicious access to the server, the authenticators is able to deny access to the network. 802.1X relies on controlled and uncontrolled ports to achieve its functions. The controlled port monitors the network traffic such that it is able to deny or allow access to the network. The uncontrolled port on the other hand is responsible for transmitting and receiving the EAP frameworks. The EAP is applied in situations where data could be prevented from being accessed on unprotected networks.
The authentication methods that could be utilized by 802.1x standards and EAP include; authentication of financial transactions when using smart cards, authentication of credentials such as personal information in a passport of a traveler and authentication of academic certificates. EAP in this case relies on conversation between it and an authentication server such that through requests for authentication between the two connections, it is possible to determine the success of the authentication process.
Authentication risks
There are various authentication risks that need to be closely monitored if individual want to prevent the possibility to breach into their important personal and financial information. The various types of risk include failure to store credentials in a protected network such that it is easier for third parties to have access to the information without much struggle with the authentication process.
The fact that individuals re-use their password without changing exposes them to threat of attacks since it is possible for hackers to trace the re-used passwords and then sue to to access credentials without authorization. This then implies that there is need to store credentials in a protected network to allow 802.1X and EAP applications to conduct the authentication process in case there are access attempts to the credentials. The other risk is where users log out requests are not properly validated during the logging out of session such that the information accessed becomes subject to re-use by unauthorized parties. For instance, an employee could close a browser thinking that by doing so, they are automatically logged out. However, an attackers could re-open the browser and access the contents of same session the user had accessed.
In some cases, the user could log out but the session ID is still displayed such that an attackers find it easier to use the ID exposed to gain entry into essential information that could include stealing academic records of an individuals. However, the IEEE 802.1X and the EAP frameworks are able to prevent such cases such that when a user logs out, access is denied unless the user undergoes the process of authentication again to gain access to the details. The frameworks make it easier to mitigate the risks since the session IDs are rejected immediately the server is logged out hence able to protect the user from loss of important personal information and records. The other authentication risk is the fact that there could be poorly secured password change features such that in such cases, the user is not given an option to re-authenticate and hence in the event where the computer is left unattended, a malicious individual could take the opportunity and decide to access the information of the user.
However, with the 802.1X and EAP standards, it is possible to secure personal information over networks such that in the event where an attacker tries to change the password, they are asked to re-authenticate by entering the old password such that their ill intentions are dealt a blow. The servers go ahead to ask the attacker additional security questions that could limit them from access to the profile of a person or an organization without authority.
Authentication Process using IEEE 802.1X and EAP
Activation of the authentication process
There are major steps that 802.1X utilizes to enhance its functionality such that it is able to reduce the risks of authentication and recognize only users whom it believes have no ill intentions. The first step is the initialization stage where upon detection of access attempts of information in the network, the authenticators is activated to be cautious on the authenticity of the transmission. The 802.1X plays a key role during the initialization stage since it is the only traffic allowed to flow within the Local Area Network. This implies that the functionality of other applications such as the IP cease since they could interfere with authentication process of the 802.1 X standard.
Initiating the authentication process
After the initialization phase, the next procedure is where the authentication process is initiated when the authenticator sends EAP request identity to a specific address on the LAN. The request is scrutinized by the supplicant such that when the EAP’s request is received, a response is given in the form of a code relied upon to identify the user. The response is then encapsulated in an access request packet with the authenticator forwarding the response to the authentication server. Upon receipt of the forwarded response, the authentication server then takes the responsibility of sending a reply through a RADIUS challenge packet to the authenticator with the EAP frames.
Establishing an agreement of the EAP method suggested
This is a process of negotiation since the reply from the authentication server is aimed at specifying the EAP method to be utilized. The authenticator then takes the recommended authentication method to be used and bundles the EAP call in a frame and then transmits it to the relevant supplicant. The supplicant then scrutinizes the EAP method sent to it and then responds on whether it is willing to rely on the method to execute the authentication process. The authentication server and the supplicant need to be in agreement on the EAP method suggested such that the authenticators is given the task to translate the response between the authentication server and the supplicant.
Final authentication process
There are two actions that the authentication server could take which include accepting the authentication request and allowing for an accept access situation or it could decide to reject the request and hence use access reject option to deny access to the network. This is the final process of authentication such that in the event where the authentication is successful, then normal traffic across the LAN occurs but in the event where authentication is denied, the port remains unsuccessful possibly because of suspicion from the authentication server. In the event where the user logs off, a log off message is sent to the authenticator such that the mode is restored to unauthorized state such that the whole process has to be repeated by those wishing to access the network again.
Conclusion and recommendations
With increasing number of network attackers, there is need for reliance on authentication technologies that offer the greatest efficiency in terms of denying access to unauthorized users. Such is the strength of IEEE 802.1X and Extensible Authentication Protocol that play major part in mitigating authentication risks. However, there is need for users to take personal responsibilities for their mistakes such as relying on a single password for a long period, failing to log out after sessions, or in case one stores their credentials in unprotected networks.
References
Akhlaq, M., Aslam, B., Khan, M., & Jafri, N. (2007). Comparative Analysis of IEEE 802.1x Authentication Methods. Proceedings of the 11th WSEAS International Conference on COMMUNICATIONS, (pp. 1-7). Crete Island.
Collins, L. (2015). Mobile Devices: Tools and Technologies. London: Chapman & Hall.
Heartfield, R., & Loukas, G. (2015). A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks. ACM Computing Surveys, 1-32. doi:http://dx.doi.org/10.1145/2835375
Idrus, S., Cherrier, E., & Rosenberger, C. (2013). A Review on Authentication Methods. Australian Journal of Basic and Applied Sciences, 95-107.
Khan, W., Aalsalem, M., & Xiang, Y. (2011). A Graphical Password Based System for Small Mobile Devices. International Journal of Computer Science, 145-150.
Kim, J., & Hong, S.-p. (2012). A Consolidated Authentication Model in Cloud Computing Environments. International Journal of Multimedia and Ubiquitous Engineering, 151-164.
Kumar, U., Kumar, P., & Gambhir, S. (2014). Analysis and Literature Review of IEEE 802.1X (Authentication) Protocols. International Journal of Engineering and Advanced Technology, 163-167.
Maple, C., Williams, G., & Yue, Y. (2007). Reliability, Availability and Security of Wireless Networks in the Community. Journal of Informatics, 201–208.
Williamson, G. (2006). Enhanced Authentication In Online Banking. Journal of Economic Crime Management, 1-10.