How are WLAN Infrastructures in Enterprises Secured?

Learn about the scalability challenges of Pre-shared (PSK) configurations in the enterprise, as well as how 802.1X addresses and resolves them elegantly.

How are WLAN Infrastructures in Enterprises Secured?
Photo by Peter Thomas / Unsplash

Hello World! In previous posts, you learnt about personal networks with security up to WPA2. From now on, I'll be discussing Enterprise networks with you and popular attacks on them. For educational purposes, of course 😏.

Before moving forward, you should know about the limitations of the personal network in corporate.

Personal Networking Issues in the Workplace

Let's say you hired workers, but after a while, you forced them to leave or fired them due to certain problems. Initially, they required to access the resources on your network, so you had shared the pre-shared key with them to setup their mobile devices. After they will leave the organisation, they might leak this key or become victim of client based (passive) attacks which could lead to retrieving of this PSK.

You're doomed now! Anyone sitting in the parking area has access to your internal network. If the breach is detected in your organisation, all legitimate devices will need to be re-authenticated with a new PSK, which will cause some disruption in the business operations.

It becomes worse when you will realise that identifying culprit becomes even more difficult. Based on the given circumstances, the suspect is the one who left the organisation, but the culprit could still be working for you. This is another challenge for a company to overcome in order to eliminate future potential risks.

By now, it's obvious that we require dynamic control over the creation of authentication credentials for users, as well as an administration panel to manage these and revoke access when users leave the organisation. This is one of the issues addressed by the IEEE 802.1X Standard and RADIUS protocol. This method improves network security by allowing for individualised and time-limited access, which reduces the risk associated with static PSKs.

Let's learn more about it, now!

The 802.1X Standard

802.1X is just a standard, which lets you configure port-based network access control (PNAC) in the organisation using Extended Authentication Protocol (EAP) to enable per-user authentication mechanism. It was released about two years before WPA, initially for Local Area Networks (LANs), but was later in year 2004 expanded to include WLAN by the IEEE 802.11 work group.

Under the hood, 802.1X uses RADIUS and EAP to facilitate the authentication mechanism. Therefore, in terms of Operating Systems, 802.1X defines the policy, whereas RADIUS and EAP are the mechanisms to implement that policy.

Even if you are a student, you may have had used this in your university/college. Recall when you need to authenticate your devices before accessing internal journals or the internet. During the onboarding process (generally conducted after orientation), your school's IT team would have given you some login credentials and instructed you to enter it after connecting to the Access Points, which would bring up a login page (also known as captive portals) where you would be required to submit those credentials.

Port? You mean TCP...?

Wait 🛑! Do not mix up the TCP port and the 802.1X port. They are both implemented at different layers of the OSI model. In this context, the term port refers to the physical port (OSI Layer 2) on the network device, such as switch or the access point.

Port-Based Network Access Control (PNAC)
Port-based network access control (PNAC) is a type of security protocol used to restrict network access to only authorized devices.

Access control at port refers to the process whereby authentication and authorisation take place at the physical port of the network devices. The device will be granted access to the network behind a network device if and only if it has successfully completed the port authentication. Think of it as the bouncers only opening the club door for you if certain requirements are met.

💡
Nowadays, PNAC is no longer limited to LAN authentication. It can also be used in conjunction with other services; for instance, VPNs frequently use it to grant network access under certain successful conditions, most commonly the correct username or password.

802.1X Architecture

There are 3 actors involved in the authentication process:

  • Supplicant, is the client device requesting for the access on the network. It can also be used interchangeably to refer to the software running on the client that provides credentials to the authenticator.
  • Authenticator, is a network device that provides a data link between the client and the network and can allow or block network traffic between the two, such as an Ethernet switch or wireless access point.
  • Authenticator Server, is typically a trusted server that can receive and respond to requests for network access, and can tell the authenticator whether the connection is to be allowed, or not. This is where RADIUS and EAP protocols compliant softwares run.
Overview of 802.1X architecture deployment. Source - Wikipedia.com

Authenticators are installed throughout the area and connected to the authentication server, which is typically centrally located in the administration department in a widely distributed corporate setting. After that, the authenticators act as a go-between for the supplicants and the authentication server.

ℹ️
Note

The connecting device does not have network connectivity until authentication is successful. Because it cannot connect to the authentication server directly, the authenticator is used as the Bifrost.

The supplicant must first provide the required credentials to the authenticator, which could be either username/password or certificates; you (as an IT admin) have the final say, EAP got you covered. This is how user's identity is determined on the network, and often this information is used with telemetry and logging.

Controlled vs Uncontrolled Port Entities

You're probably wondering how, if the user can only access the network after being authenticated, the authentication frames are exchanged with the AAA server, which is located in the enterprise's network. That is accomplished via a special port known as uncontrolled port, which allows the transmission and reception of unauthenticated frames.

A controlled port is another port entity that is used for secure communication. It is managed by the 802.1X PAE (Port Access Entity) which allows or prevents network ingress/egress based on the authentication state of the supplicant. The supplicant is promoted to this port entity once it has been authenticated.

Where does EAP sit in this Set up?

EAP is a framework which provides a set of methods to facilitate the secure exchange of authentication messages through medium, similar to how you use different methods on a web page to authenticate users. Because it defined some rules like some frameworks (C++/Boost, Python/Django, Node.js/Express and etc), we also call it a protocol.

Because EAP only facilitates the authentication mechanism, it is always carried by another protocol.
An overview of 802.1X authentication methods and EAP | TechTarget
Learn about the 802.1X authentication method for wireless networks, and explore various EAP types, including EAP-TLS, EAP-MS-CHAPv2 and Protected EAP.

When the EAP is deployed on the local area networks, and its packets are carried by protocols defined for LANs, it becomes EAPoL (EAP over LAN). You will see EAPOL (802.1X Architecture) protocol type in the wireshark when supplicant is exchanging the keys with the authenticator after success message from the EAP phase.

EAPoL is used to exchange WPA2 keys between supplicant and authentication.

After EAP phase succeeds, the authenticator and supplicant carries out 4-way key handshake process for establishing the WPA2 encryption. The reason is same as choosing EAP – why build another encryption, if you can use the existing stack.

WPA2 is used for encrypting the DATA frames.

The PMK is generated from the previous EAP steps. Unlike the PSK mode, the RADIUS server will provision ephemeral PMKs, which are generally valid for the specific sessions, so even if keys are compromised, they will become invalid later on.

💡
You can only retrieve the plain text message in the data frame if and only if you can derive PMK, then PTK and know the exact key used to encrypt that frame. Read More

Conclusion

In conclusion, ensuring the security of enterprise Wi-Fi networks is crucial for protecting sensitive information and maintaining network reliability. Throughout our discussion, we have learnt how using PSK in the workplace can pose security risks and how the 802.1X standard helps address these issues by controlling network access. It's like having a bouncer at the door of a club, checking IDs to ensure only authorised individuals can enter.

Additionally, we have explored the role of EAP, which provides a flexible framework for determining who is allowed onto the network. When all these components are integrated, organisations can establish a robust security system that protects against potential threats and ensures the safety of their Wi-Fi networks for all users.

References

Enterprise WiFi: The Basics & 6 Ways to Speed Up | FS Community
Ensure smooth office operations and boost productivity by learning everything you need to know about WiFi connectivity.
Standards and Protocols
A protocol defines a set of rules used by two or more parties to interact between themselves. A standard is a formalized protocol accepted by most of the parties that implement it. Not all protocols are standards (some are proprietary). Not all standards are protocols (some govern other layers than…
What’s the difference between the terms “protocol” and “standard”?
I find the term “protocol” confusing (in the terms of computer science that is). If the protocol is just a set of rules, wouldn’t it be easier if we used the term “standard” instead (like in “HTTP
If both protocol and standards are set of rules, what is the difference?
Telly Finance’s answer: While both protocols and standards involve sets of rules, they serve different purposes in the realm of technology and communication. Protocol: * A protocol is a set of rules that govern how data is transmitted and received over a network. It defines the procedures, for…
What exactly is 802.1x? Is it a RADIUS server or a standard that defines authentication?
Answer: 802.1X is not a RADIUS server but rather a network authentication standard that defines the framework for controlling access to Ethernet or Wi-Fi networks. It specifies how network devices, such as computers or other endpoints, can be authenticated before they are allowed to access the ne…
Robust Security Network and Extended Authentication Protocol in Detail
Learn about the Robust Security Network, its features, and the use of the 802.11X Extended Authentication Protocol. Understand how the 4 way handshake generates dynamic keys for each network device.
Crack Pre-Shared Key of WPA/WPA2 from Live Network
In this post, you will learn how to capture the 2 out of 4 EAPOL handshakes of WPA network and crack the password from a wordlist.
Crack WPA2-PSK from Probing Clients
In this post, I’ll show you how to set up a honey pot access point with hostapd and capture the EAPOL handshake from a probing client to brute force the pre-shared key.
AAA (computer security) - Wikipedia
RADIUS - Wikipedia
IEEE 802.1X - Wikipedia
802.1X: Port-Based Network Access Control |
IEEE 802.1 -
What is 802.1X? How Does it Work?
802.1x is a protocol used for network authentication. It’s more secure than the Wi-Fi password you use at home. 802.1x is standard for larger organizations.
Extensible Authentication Protocol - Wikipedia
EAP - Extensible Authentication Protocol
Extensible Authentication Protocol (EAP) is an authentication protocol supports multiple authentication mechanisms for PPP and 802.11 connections
Wireless Security: WEP, WPA, WPA2 and WPA3 Differences
Learn the differences among WEP, WPA, WPA2 and WPA3 with a comparison chart, and find out which encryption standard is best for your wireless network.
What is the 802.1X Protocol Used For?
The 802.1X protocol provides an authentication framework for controlling access to networks by authenticating devices before connection.
What is IEEE 802.1X network authentication?
With IEEE 802.1X, networks are better protected and unauthorized access can be prevented. Learn everything about the IEEE standard here.
WiFi security using IEEE 802.1X - how secure is it?
My company’s set-up involves a single AP (TPlink) that is configured to authenticate clients using RADIUS. All works well, but: on a regular WPA/WPA2 network, once you have the PSK, you are able to
Wi-Fi Protected Access 2 (WPA 2) Configuration Example
This document explains the advantages of the use of Wi-Fi Protected Access 2 (WPA 2) in a Wireless LAN (WLAN). The document provides two configuration examples on how to implement WPA 2 on a WLAN. The first example shows how to configure WPA 2 in enterprise mode, and the second example configures WP…