This article continues our series on “Multi-Layered Access Control,” which seeks to explore various approaches to network visibility and access control. While our last piece dealt with ARP-based strategies for securing endpoints, we now consider how the 802.1x protocol can be used as part of a broader, multi-faceted approach – offering operators a range of options to choose from in order to build the best cyber-defense framework possible.
What is 802.1x?
802.1x is an IEEE-defined, standard protocol used to provide port-based network access control. Specifically, it provides the authentication mechanisms required for devices to access a given network. Operating in both wired and wireless network environments, it allows for device access requests to be either accepted or rejected. For 802.1x authentication to work, three components are necessary:
- Supplicant: A client device from which end-users wish to access a given network. This can be either a wired or wireless endpoint.
- Authenticator: An intermediary network device such as a switch or an access point that passes along a supplicant’s authentication information to an authentication server, using the Extensible Authentication Protocol (EAP).
- Authentication server (e.g. a “RADIUS” server): Determines the validity of the credentials received and whether to accept or reject the supplicant’s network access request.
Pros and Cons of 802.1x
802.1x behavior and operations are highly prescribed and well-documented. A powerful and effective way to implement network access control, it has been widely deployed across the professional network enterprise landscape. But leveraging 802.1x also brings with it a greater degree of complexity and operational challenge. For example:
- Configuration complexity: 802.1x requires individual switch port configuration (pre-device-connection) and ongoing management attention
- Network design: 802.1x requires a considered, up-front design approach. Which classes of devices will use 802.1x (e.g. wired, wireless, both?) How will network segmentation, VLAN design, and switch deployment be impacted?
- Cost: Not all network appliances support 802.1x, such as many legacy and lower-end, commodity-priced switches. These will need to be replaced.
- The explosion of IoT devices: Support for 802.1x will by no means be guaranteed given the number and variety of IoT devices that will be available in the marketplace, devices of vastly different quality and capability levels.
As a result of these factors, it can be both difficult and expensive to employ 802.1x across entire enterprise network environments.
Genians sees 802.1x as an extremely important and valuable approach to be leveraged in achieving your NAC initiatives in the IoT era. Accordingly, it has been designed into the Genian NAC solution as a central capability. Indeed, Genian NAC provides a built-in RADIUS authentication server as part of its product architecture.
That said, 802.1x isn’t for everybody – and certainly not as a first or only network access control strategy. That’s why we recommend thinking about 802.1x in a new, more nuanced way, and as part of a smarter approach to deploying NAC. Specifically, network operators need to consider:
- Which devices should be targeted for 802.1x-based deployment?
- How best should 802.1x be integrated into a comprehensive approach to network access control for a given network environment?
Genians believes that a phased approach to implementing NAC will yield the most optimal results. Specifically, this means:
Begin by Achieving Real-time Network Surveillance
- In order to implement the right set of access control decisions for their network, operators first need to develop a comprehensive and detailed understanding of their environment.
- With Genians’ NAC solution, operators can quickly achieve this understanding by profiling all network-enabled devices in real time.
- Further, by employing the Genians Network Sensor as a surveillance mechanism, they can do so without experiencing any disruption to network operations.
Then Implement Specific Control Mechanisms
- With this network information in hand, operators can then determine how best to proceed with choosing the appropriate access control option. Genian NAC allows for a range of network access control methods. For a detailed view of Genians’ complete set of deployment models, especially 802.1x, please see the chart at: https://docs.www.genians.com/deploying/deployment-type.html.
- As this chart indicates, operators may decide to start out with a simpler control mechanism than 802.1x, such as the ARP-based approach, while strengthening their wireless security via 802.1x to avoid legacy encryption vulnerabilities.
- From that point, administrators can then migrate as time and budget allows to leveraging the more complex and expensive 802.1x option.
In our next article in this series on “Multi-Layered Access Control,” we will explore the integration of agent-based solutions in addressing the challenges of network access control.
Part II: Rethinking 802.1x
Part III: Agent-Based Endpoint Security (Coming soon)
Brett Hamill, Solution Architect at Genians, is a Cisco CCNP and has over 25 years of experience in networking. During the last 15 years he has specialized as an SME in Designing and Deploying Network Access Control solutions. Prior to focusing on NAC, Brett served as a Cryptologic Technician in the U.S. Navy as well as providing network consulting services such as Enterprise-scale WAN projects for financial institutions and data center BGP connectivity to Service Providers.