Blue Light
Space shortcuts
Child pages
  • 802.1X
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »

Introduction

Things to mention:

802.1X is a standard that is part of 802.1, it consists in access control to a network by allowing/blocking all packets at the client's point of access into the network, including all broadcast packets, etc.  ... It is possible on Wi-Fi, ethernet and other mediums.

Upon connecting a device to an ethernet port on a switch or associating to a wireless SSID, the network switch or wifi router concerned will initially not allow any data to be transmitted/received by the device. It will request the connected device to identify itself and, upon approval of the supplied credentials by an authentication server, start accepting packets from/to the newly connected device, or continue dis-allowing, in the case the authentication server did not approve the credentials.

 

Architecture

802.1X defines how EAP messages are transmitted over an IEEE 802 network (e.g. ethernet, wifi).

RADIUS is a protocol to exchange information between an authenticator (also known as NAS (Network Access Server)) (see above picture) and an Authentication server. Each packet has a packet type, and contains multiple ValueName-Value attributes with relevant information as may be the case. By default, it operates on UDP port 1812. A well known RADIUS server software is called FreeRADIUS.

In the above example, a wifi router is providing access to the 192.168.254.0/24 network. When a device (called a supplicant) attempts to connect to the wifi network, the wireless router starts an EAP conversation with the supplicant over 802.1X, requesting it to supply credentials. The router then connects to the authentication server (which, in the example above is also part of the 192.168.254.0/24 network) and sends the EAP response it received from the supplicant over the RADIUS protocol in a packet of type Access-Request as one of the attributes. The authentication server may wish to request the client for more information, it may thus answer the wifi router with a RADIUS packet of type Access-Challenge containing an EAP message to be forwarded to the supplicant. The NAS facilitates this conversation between authentication server and supplicant until the authentication server sends a packet to the NAS which is of either type Access-Accept or Access-Reject. In the case of an Access-Accept, the wifi router now allows the supplicant to join the network, or, in the case of Access-Reject, will not. Once the NAS has granted access, for 802.1X/RADIUS/authentication server, the job is done, and the supplicant becomes part of the 192.168.254.0/24 network's broadcast domain. The authentication server, can specify attributes in replying packet to give the NAS additional instructions, for example, it might request the NAS to place the newly connected supplicant in a specific VLAN, or it might specify for how long the supplicant is allowed to remain connected, or  It can now initiate a DHCP request for an IP address or any other action as may be appropriate. The authentication server is able to log that the user connected along with information from attributes the NAS might have sent, generally this includes the MAC address of the supplicant, MAC address of the NAS, username (if authentication was done by username/password) and more depending on the NAS model.

EAP and RADIUS are both general purpose protocols that take care of communication. They have support for a great variety of features or different methods to perform authentication (e.g. it is possible to use different protocols that authenticate the user using a username and password, or using client certificates, or even SIM cards), but it is still up to the supplicant, NAS and authentication server implementations to choose which ones they support or not. In fact, EAP is only a tunneling protocol inside which a suitable protocol for performing authentication needs to be used. This makes it possible to have flexibility in usable authentication protocols whilst maintaining compatibility with any NAS, as long as the authentication protocol is supported by both the supplicant and authentication server.

The RADIUS protocol also includes the possibility for the NAS to send accounting information to the authentication server for the purpose of logging user activity, this is on a separate port, UDP 1813, this has not been investigated as it seems to be not supported by the NASes we have, and presumably is not on any NAS in the price range.

The RADIUS protocol also includes the possibility for the authentication server to initiate a connection to the NAS and inform it to disconnect a currently logged in user, but again, this has not been investigated much as it seems to be not supported by the NASes we have, and presumably is not on any NAS in the price range.

In absence of the above mentioned feature, once a user has connected, there is no way to disconnect them other than rebooting the NAS. If the system administrator chooses to disable a user account on the authentication server, the user will be denied access only from the next time they try to connect, if they are already connected at the time of disabling the account, they will remain connected for the moment. It is possible for the authentication server to specify with the "Session-Timeout" and "Termination-Action" attributes of the Access-Accept packet for how long a user is allowed to remain connected without repeating authentication (again subject to NAS supporting). Depending on the NAS and supplicant models it has been observed that there can be a new authentication request, in the case of wifi, when the supplicant moves out of range of the wifi and then comes back, or when the user switches wifi off and on again on the supplicant, but might also not be the case.

Things to mention:

What RADIUS/802.1X is able to provide and not and in which situations.

Proxying

Varying implementation of features - Done

Re-auth, accounting, request from server, - Done

features supported by TP-Link NASes

Terminology: NAS, RADIUS, FreeRADIUS, Authenticator, Supplicant, Authentication server

Diameter

Protocols used: EAP, MSCHAP, PEAP, TTLS, TLS

What EAP is - Done

Difference between auth systems: PEAP, TTLS, TLS

Difference between 802.1X and RADIUS and FreeRADIUS - Done

RADIUS is the protocol, it can be used for many purposes and many authentication methods can be used. - Done

Certificates

Outer and inner identity and MAC/Windows support

Wifi keying, session timeout, etc. protections against MAC-spoofing, etc.

SSL tunnel

FreeRADIUS configuration files

FreeRADIUS configuration files are many. They are located in /etc/freeradius/3.0 on Debian systems. Other distributions use a slightly different location. Most of them contain plenty of comments explaining what the configuration does and advice and warnings. Here are some of them:

clients.conf - List of clients that will be connecting to the FreeRADIUS server, including their IP addresses and passwords that they will use to authenticate to FreeRADIUS. What is called a FreeRADIUS client is actually a NAS, not a supplicant. Supplicants do not speak directly to RADIUS servers.

mods-available - Folder containing config files of modules that can be used with FreeRADIUS

mods-enabled - Folder containing symlinks to files in the mods-available folder, for modules that should be enabled

mods-config - Folder containing more config related to modules and things like .sql files containing empty schemas for initial creation of databases for use with the sql module

sites-available - "Sites" that can be served by FreeRADIUS.

sites-enabled - Folder containing symlinks to files in the sites-available folder, for sites that should be enabled

By default, the 'default' and 'inner-tunnel' sites are enabled. One of them listens for incoming requests from the NASes, the other listens to requests forwarded by the 'default' site..........

Inner tunnel and outer tunnel sites

The site files contain multiple sections, here are some of them:

authorize - This section lists modules/code that are run when a request is received, in preparation for authentication. One of the important tasks is to find out which authentication method/protocol the supplicant is trying to use and which FreeRADIUS module is appropriate to deal with it. When one of the listed modules finds that it is able to deal with the request, it informs FreeRADIUS. Another important task is to load in memory information that might be needed for authentication. For example, the sql module loads the relevant credentials from the SQL database so that the appropriate authentication module that runs in the authenticate section can access them in order to compare them with what the supplicant sent.

authenticate - After the authorize section ran, this section takes care of the actual authentication. In here modules are called that assess the information made available to them and answer in regards of what action should be taken.

post-auth - After it has been determined what action should be taken, this section takes care of any extra tasks required to be carried out, for example logging.

Sources

Support / Knowledge places

Most documentation regarding FreeRADIUS and many modules, and some examples, can be found on the FreeRADIUS wiki:

https://wiki.freeradius.org/

A lot more useful information can be found on the FreeRADIUS mailing list:

https://wiki.freeradius.org/guide/Users-Mailing-List

http://lists.freeradius.org/mailman/listinfo/freeradius-users

  • No labels