Part I of the Clearing Up 802.1X Series
Multiple Device Authentication and Mixed Authentication
Pure vs Applied 802.1X
There are a couple of issues mentioned in Mike’s and Richard’s posts that I’d like to address with the current 802.1X standard (802.1X-2004) as it relates to multiple device authentication.
When I talk about 802.1X with people, I like to distinguish ‘pure’ 802.1X with ‘applied’ 802.1X- meaning, there is both the 802.1X that is a strict formalized standard, and then there is the reality of 802.1X and related standards that mix the ‘pure’ 1X with vendor interpretations and extensions. Below are some examples of use-cases of 802.1X that may operate outside the scope of the 1X current standards.
Applied 802.1X use cases…
- Mixed authentication methods on a port (MAC-auth, Web-auth, 802.1X)
- Multiple devices authenticating per port (VoIP, hubs)
- Authenticated and unauthenticated users on a single port (guest users)
- Device to device (infrastructure) authentication
Multiple Device Auth with 802.1X-Now
Specifically, when we look at multiple device auth on a single port with 802.1X, we’re pretty good with any solution if we’re using 802.1X to authenticate each device individually. Let’s say for example a VoIP phone, with a PC behind it, both using supplicants and 802.1X to authenticate. Pretty easy, straight-forward and very little variance from vendor to vendor.
But let’s say that (as in most organizations) not every device supports 802.1X, so we end up with VoIP phones that are not 1X-capable, and we’re using MAC-Auth for those, with 802.1X for the PCs connected through them… different story.
Mixed Authentication
Why? Because mixed authentication schemes are outside the scope of the pure IEEE standard for 802.1X. Most major switch vendors support this function (by allowing 802.1X mixed with MAC-auth or Web-auth), but they do so with their own implementation and interpretation. It doesn’t always work well, and this is universal for all vendors from what I’ve seen. (Some are more committed to addressing and fixing it than others, but it’s a global issue.)
I would say this would change, but with the expectations of 802.1X-REV coming early next year, vendors and IEEE may decide not to put more effort into a superseded technology. (I think there may be some interest in continuing development and support of 802.1X-2004 since the revision will require a hardware refresh to make use of MACSec/802.1AE).
:::Glossary:::
- 802.1X: Port Security Standard by IEEE (read overview on post here)
- 802.1X-2004: The current revision of IEEE 802.1X
- 802.1X-REV: The upcoming revision of IEEE 802.1X (due in 2009)
- MAC-Auth: Similar to 802.1X in function, but authenticates a device using its MAC address and a directory
- Web-Auth: Similar to 802.1X in function, but authenticates a user in a captive-portal format, using a web browser log-in and authentication usually locally or to a directory
- MACSec/802.1AE: Media Access Control Security, a 2006 standard for layer 2 encryption being rolled into the 802.1X-REV of 2009
:::Links:::
- Mike Fratto’s Post ‘New Protocols Secure Layer 2’
- Richard’s Post ‘Hop by Hop Encryption: Needed?’
:::Next:::
# # #
Love the 802.1x series JJ. Thanks!
[…] Part I: Pure vs Applied 802.1X, Multiple Device Auth & Mixed Auth […]