Blogs
- Mastering DHCP Snooping: Enhance Your Network Security
- Automate Meraki Device Renaming
- Securing Your Network Access with 802.1X
- OpenSSL cheatsheet
- 802.1x EAP peap and EAP tls
- BGP Internet Edge
- Sumologic Troubleshooting
- Firewall Benefits
- Meraki
- Napalm Python
- SumoLogic SEIM
- Layer 1 and 2 checklist
- Automating OS Upgrade
- Netmiko
- TCPDUMP
- Multicast Notes
- MPLS Notes
- BGP Notes
- OSPF Notes
- Linux cheat sheet
- ISIS Notes
- TCP IP
802.1x EAP peap and EAP tls
802.1x authentication is a security protocol that provides an efficient and reliable means of controlling network access. It ensures that only authorized users and devices are granted entry to the network, thereby preventing unauthorized access and safeguarding sensitive information.
802.1x authentication offers a comprehensive solution by requiring users to provide unique credentials or digital certificates, effectively verifying their identities before granting access. This prevents unauthorized individuals from infiltrating the network and enables organizations to enforce strict access control policies, limiting access to specific resources based on user roles and privileges. Additionally, 802.1x authentication provides visibility and accountability by creating detailed logs of network activity, aiding in identifying and mitigating potential security incidents.
By implementing 802.1x authentication, organizations can establish a strong security posture, ensuring their network resources' integrity, confidentiality, and availability in an increasingly connected and vulnerable digital landscape.
This doc will focus on EAP PEAP and EAP TLS.
Let us start with the EAP packet Process:
- The client is the device trying to access the network. (ex PC phone … )
- The Authenticator is a network device that serves the client, ensuring only authorised users can access the network. (ex access point switch … )
- The RADIUS (Remote Authentication Dial-In User Service) server verifies the device's identity before allowing it to connect to the network.
- The Authenticator sends an EAP-Request/Identity message to the User.
- The User sends EAP-Response/Identity message indicating to the Authenticator that it wants to proceed with authentication.
- Authenticator will forward the message to the Radius as a radius Access-Request.
- The Authenticator receives a radius Access-Challenge message from the Radius and decapsulates the packet.
- The Authenticator sends the Radius Access Challenge message to the User as an EAP-Request/Auth message.
- The User responds with an EAP-Response/Auth message to the Authenticator.
- The Authenticator encapsulate the Access-Request packet containing EAP-Message attributes and sends it to the RADIUS Server.
- Finally, the radius server responds with an Access-Accept packet.
- The Authenticator decapsulates and forwards the EAP-Success message to the User.
We can use several authentication methods with 802.1X, but we will review
EAP-PEAP and EAP-TLS.
EAP-PEAP (Protected Extensible Authentication Protocol):
With EAP PEAP, the client verifies the server cert and uses its public key to encrypt the data and send its username and password to be authenticated. Check the steps below.
- The client initiates a connection to the network and sends an authentication request to the server.
- The server then forwards its certificate.
- The client verifies the server's certificate and sends its credentials, such as a username and password, to the server, encrypted using the server's public key.
- The server decrypts the client's credentials using its private key and forwards them to an authentication server for verification.
- The authentication server then verifies the client's credentials and responds to the server indicating whether the client can access the network.
We usually use EAP PEAP when the client device cannot offer certificates,
such as mobile devices or non-domain-joined computers.
Potential EAP-PEAP vulnerabilities
- Only provides server-side authentication using digital certificates rather than authentication between the client and the server. In some cases, this could make EAP-PEAP vulnerable to man-in-the-middle attacks. If not configured correctly.
- Another potential vulnerability is EAP-PEAP uses a shared secret to encrypt the authentication messages between the client and the server.
- That is vulnerable to brute force attacks if it is not sufficiently complex or compromised through other means.
- If the server has an untrusted or invalid digital certificate, and if the User ignores the untrusted cert, this can also compromise the authentication process.
EAP-TLS (Transport Layer Security)
Uses client certificate to verify its identity.
EAP-TLS Handshake:
- The client sends an authentication request to the server.
- The server responds with a message containing its certificate.
- The client verifies the server's certificate and sends its certificate.
- The server verifies the client's certificate and sends a challenge message to the client.
- The client responds to the challenge message with a message encrypted using its private key.
- The server decrypts the message using the client's public key and verifies the response.
- If the response is valid, the server sends a success message to the client indicating that authentication is complete and the client is authorised to access the network. If the response is invalid, the server sends a failure message, and the client cannot access the network.
In summary, EAP-PEAP and EAP-TLS are methods of authentication that can be
used with 802.1X wireless and wired networks. While EAP-PEAP only requires
server-side certificates, EAP-TLS requires client-side and server-side
certificates, making it a more secure but also more complex method of
authentication. The choice between the two approaches will depend on the
network environment's specific security requirements and
limitations.
Talk to an expert