I run into two fundamental problems when I start to talk to customers or audiences about Network Access Control and its related standards and protocols. What are they? Number 1, most folks have no clue what 802.1X actually is. Number 2, for the most part, they don’t really understand what NAC is either.
The fact that they’re such common ‘buzz words’ in today’s IT world makes people hesitant to ask questions. You know we IT-folk don’t like admitting we don’t know everything about anything! However, these are rather simple concepts with extremely complicated components and 98% of the technology world doesn’t really know as much as they’d like to about NAC and 802.1X. You’re not alone.
And so, here’s a short technology primer for you, to give you a little insight into the IEEE 802.1X standard and where it falls into the NAC picture. I said I was going to keep this short, so hang with me here.
What is it? 802.1X is an IEEE standard for Port Access Control, also referred to as Port-Based Network Access Control, but that term gets a bit confusing, so I prefer the former. It actually started about 10 years ago, and has been edited and revised since then to add support for new technologies, including adding some specific attributes for wireless implementations.
What does it do? With 802.1X you can have switch ports, by default, be closed, or shut off. These ports will then only be opened once a user attempts to connect to the network and has been successfully identified as someone who is allowed access. At this point, we would say that this legitimate user is ‘authenticated’. Until this happens, no standard network traffic passes through the 802.1X port- so whatever is trying to connect will not even get an IP address. No IP address = no network access.
Why would I use it? In a wired environment, you can use 802.1X to extend some physical or layer 1-type security to the edge. In a fully 802.1X-enabled environment, imagine every edge port is off, and completely inaccessible, until an authorized user attempts to connect through it. It’s a great way to secure edge ports, as well as infrastructure connections. You can use 802.1X to authenticate your network devices to one another, or to the network, and pretty confidently eliminate any chances of gaining rogue devices.
Note that, in reality, 802.1X is not something you wake up one day and willie-nillie enable on every port. You’ll want to start with edge ports in public areas, such as conference rooms, then roll out the rest in phases.
In the wireless world, 802.1X is the chosen authentication method to provide enhanced key exchange and rotation for a more secure wireless experience. In fact, it’s been so widely adopted for this use, that it’s commonly mistaken for a wireless standard (802.11 instead of 802.1).
How does it work? Without dragging up a bunch of terminology you’re probably not familiar with, let’s talk about a couple of basic concepts. 802.1X leverages (or can leverage) your existing infrastructure. If your switches are 802.1X-capable, then they’re ready to go. How do they know that user trying to connect is legitimate? Your 802.1X switches are talking to your RADIUS server, and your RADIUS server is talking to your Directory (AD, eDirectory, or other LDAP). All stuff you probably already have.
You do need something called a supplicant on the endpoint. A supplicant is just an 802.1X client- it’s built into the majority of newer operating systems, and you also have the option of 3rd party supplicants that can be delivered/installed just like any other client.
Doesn’t sound too glamorous does it?
You’re probably wondering “where’s all the magic?” Well, 802.1X’s special power lies in the Extensible Authentication Protocol or EAP. Earlier, I said until a port is opened, ‘no standard network traffic’ is allowed through. Well, obviously something is allowed through, or else there would never be a means to communicate- that something that’s allowed is EAP. EAP carries information between your endpoint, through the switch and to the RADIUS server.
What about VLANs? You’ve probably heard we can provision dynamic VLANs using 802.1X and that’s certainly true. That VLAN assignment actually comes from your configurations in the RADIUS server. The RADIUS server sends back information that includes ‘other’ attributes, such as the VLAN and QoS assignments. With the new RFC standards and RADIUS attributes, we can do all sorts of neat-o things.
What you end up with is a pretty secure, and fairly flexible solution- possibly without having to purchase any additional equipment or software.
And what about NAC? If you’re wondering how 802.1X and NAC fit together, it’s pretty simple. Most of today’s network-based NAC solutions can work in conjunction with 802.1X to provide a robust solution with Layer 2 and up protection. Other NAC vendors that don’t leverage 802.1X are using a variety of Access Control Lists, either on switches, routers, a NAC appliance, or at the host. If you’re using 802.1X with NAC, we’ll generally say it’s Layer 2 NAC (since 802.1X is a L2 standard) and if it’s IP/ACL-based, it’s Layer 3 NAC. Some solutions will let you use a mixture. [Note: Layer 2 is generally accepted as being the more secure solution, but some vendors will try to pour their layer 3 Kook-Aid down your throat.]
That’s all. I’ve certainly grossly over-simplified the implementation of 802.1X. You do have to properly configure the RADIUS server and setup the switches to communicate with it. The list of EAP methods available is an arm’s-lenght long and supplicants aren’t ever as clear-cut as we’d like them to be. However, omitting the technicalities of integration, I hope you now have a better idea of what 802.1X is, how it works, and why you’d use it.
If you’re a glutton for punishment, I do have a fairly lengthy presentation I put together with a technical dive into 802.1X. If you’re interested in seeing that, email with (form on left) or post a comment (below) and I’ll send it your way.
# # #
Would you please send me a copy of your full 802.1x presentation?
Hi Mrs Minella.
Thank you for your crystal clear explanation of 802.1x. I am a glutton for punishment, I want to read more about it.
Hi!!
Excellent primer. I would really appreciate if you could send me the more in-depth 802.1x presentation as I want to understand this technology further.
Thanks!
HI JJ. Excellent summary. I’m just starting out in the NAC world and the more I understand the better I can explain to the organization.
Thanks
Al
Hi JJ,
Thanks so much for this great primer. Could you send me the link to your in-depth presentation on 802.1X? Specifically, I have a 2008 Certificate infrastructure that uses cross-forrest authentication, plus we have a few random forests here and there at locations across the globe and I would like to know more information where to place our radius servers and how many we will need. Thanks so much!
Excellent summary, is the presentation still available. We are just starting out in the NAC world and the more I understand the better I can explain to the organisation.
Thanks
I also would like a copy of the 802.1X presentation if still available…
Is the presentation still available? If so, I’d like to get a copy please. Thanks!
Hi,
I would be glad if you could send me the presentation on 802.1X!
Thanks a lot!
Thomas
Hi,
I’d like to see the 802.1x presentation.
If you’re a glutton for punishment, I do have a fairly lengthy presentation I put together with a technical dive into 802.1X. If you’re interested in seeing that, email with (form on left) or post a comment (below) and I’ll send it your way.
BR,
Steven
Thank you for sharing. I want more punisment, can you send me your full 802.1x materials? Thanks in advance. – Carl
JJ
Would you please send me a copy of your full 802.1x presentation?
Thanks JJ
That was very clear explanation of 802.1x and the NAC methods going on now a days. This truly seems like the best secure methods available as its working on layer2.
Please send the lengthy presentation file to me.
Many Thanks
Nice article. It would be great if you could send me the mentioned presentation.
Yours sincerely,
Christian
Thanks JJ,
Would love a copy of the 802.1X presentation/technical dive as well.
Steve
JJ
I’m definitely a glutton :-) Please send me a copy of your presentation and technical dive. Maybe it can help me sway some folks here ;-)
JJ
Would you please send me a copy of your full 802.1x presentation?
Hello,
Great primer. I would greatly appreciate it if you could send me a copy of the 802.1X presentation.
Hi,
Thanks so much for the dumbed down version. I work in the industry and giving a simple explanation to customers can be difficult so this post is great.
I would love to see the longer version if its still available.
Thanks!!
Thank you for the simplified explanation. I am just beginning to delve into NAC and 802.1X and this was marvelous. Yes, I would like a copy of the full presentation if still available.
Thanks again!
Very nice intro! I would love to see the longer version.
I would love a copy of the lengthy presentation.
[…] 802.1X: Port Security Standard by IEEE (read overview on post here) […]
Hi Jennifer,
Can I get a copy of your lengthy 802.1X presentation?
Kind regards
Mark Englund
Excellent! I would like to get a copy of your prezo as "a picture is worth and a…" Thanks again and keep up the great articles!
Thanks for the education. Our groups has been discussing using NAC to solve our issue of having open switch ports in our meeting rooms. How do we prevent visitors from using the connection? NAC seems to be the answer.
To Raf:
The biggest problem is that when Network Admission Control (posture and authentication) became popular and companies started budgeting for it, others came up with "Network Access Control" which was their way of saying "NAC" but meaning 802.1x. This confused many people (customers, analysts, writers, etc.) because the "NAC" name was so commonplace. This is still getting sorted out in the industry, but most would agree that it should be a combination of who you are (authentication) and your cleanliness (posture).
Well put. This is, as you put it, gross oversimplification but I can attest to how many people simply don’t get 802.1x and NAC. I had the distinct experience of watching a very large business try and do "NAC" and heard the mass confusion with supplicants, RADIUS, ports, access control, and other terms – and it’s high time someone explained this to them. I only wish some of those folks weren’t too busy to read your blog :)
Okay, that makes more sense, thanks for the explanation Mike :)
Really good overview of 802.1X. I wonder why Cisco (I teach their courses) is not able to start their .1x-chapters with an introduction that is that clear …
Thank for a simple way of explaining 802.1x to my customers. Sometimes its hard to quickly get to the point on complex topics. Simpler is better.
Write a simple dumb-down explaination on De-perimeteration too ok? :>
Henry Guzman, CISSP
Jennifer,
Thank you for your post. I am in the process of learning about this. I would appreciate a copy of your in-depth article.
Thanks Again!!
Jack
JJ, nice tutorial.
Lee, don’t confuse 802.1x with access control lists. What normally happens when the physical link does an up/down, the switch port goes into an unauthenticated state. If you plug and unplug the same computer back in, the supplicant should (supplicant dependent) re-authenticate using cached credentials–the user doesn’t notice anything. If it is a new computer, the new computer even with the same MAC has to re-authenticate.
Thanks for the overview, very enlightening on a subject I didn’t know very much about!
That being said, I’m curious about Layer 2 NAC, how do the ACLs work, once authenticated, do you have to stay authenticated, or could an authenticated machine be pulled off a port and a machine with the same MAC address connect and be able to access the network?