Written by Morris Johnson
By executing 802.1x on your network, you can greatly reduce the risk of your data and equipment being affected by a cyberattack. The IEEE 802.1x protocol network security specifically provides protection from someone walking in, connecting an unknown device to your network and releasing a virus, malware, or a man-in-the-middle attack.
A firewall helps to protect your network from attacks arising from outside the network, however, 802.1x helps protect from attacks that start from within the network. This protocol was originally designed to address wireless LAN access security concerns and was later adapted for wired LAN ports, ethernet ports, Virtual Private Network (VPN) and WIFI.
So exactly how does 802.1x work?
IEEE 802.1x grants network access to devices attempting to connect a Local Area Network (LAN) or Wireless LAN (WLAN). 802.1x is an IEEE Standard for Port-Based Network Access Control (PNAC), which provides protected authentication for secure network access.
The user’s identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server, communicating with the organisation’s directory over Lightweight Directory Access Protocol (LDAP) or Security Assertion Markup Language (SAML).
Here is an overview of how it authenticates a user:
- The user initiates the request to the Network Attached Storage (NAS) network
- The NAS requests the username and password
- The User responds
- The Radius Client sends the encrypted credentials to the radius server
- The Radius server denies or grants user access
The radius server can grant varying levels of access to the network depending on the network policies that have been implemented.
Network policies can be configured to grant access that complies with conditions such as: Active Directory security groups, organisational units, user certificates, windows patching requirements, Multi-Factor Authentication, and many others.
This allows each user to have their own set of unique credentials, eliminating the reliance on a single network password which can be easily stolen by threat actors.
How Secure is 802.1x?
The level of 802.1x security can vary. If end-users are left to manually configure their devices, 802.1x security may be compromised as the configuration process requires high-level IT knowledge to get the highest level of security from this protocol. By not implementing 802.1x properly it can leave users vulnerable to credential theft. Using dedicated 802.1x onboarding software instead can help increase the security of 802.1x.
Organisations using credential-based authentication or certificate-based authentication will significantly reduce an organisation’s risk of credential theft. Not only does it stop credentials from being stolen, but it forces users to go through an enrollment process that ensures their devices are configured appropriately, deeming credential- and certificate-based authentication the most secure way for organisations to use 802.1x.
Benefits of 802.1x
There are a number of benefits to using 802.1x to secure your WIFI environment, such as:
- No more password management for corporate WIFI (threat actors do not have a password to steal)
- Can restrict access only to corporate devices by using certificates (no more worrying about unknown devices compromising the network)
- Can be further secured by using group policy to lock clients to a specific Service Set Identifier (SSID) (no more WIFI spoofing)
- Can implement health policies such as patching, operating system version, architecture type, software installed on the client, and much more (custom compliance policies in addition to active directory credentials and certificates)
How to implement 802.1x
To implement 802.1x, you will need to have a windows server environment. You will then need to install and configure the Network Policy Server (NPS) role.
If you would like to utilise certificates, install the Certification Authority server role as well. Install on another server if you want to delegate the task to another server.
If you are using 802.1x to authenticate users to WIFI access points, Ethernet from core switches, or a VPN solution, you will need to refer to the vendor of the hardware for compatibility and implementation.
Contact us for help
For more information or help to implement your own 802.1x protocol, please do contact us using the form below.