8.6.3 Wireless Authentication and Access Methods

Access Methods and Security Protocols

Overview of Security Access Methods

  • Port Security

    • Monitors physical switch ports to prevent unauthorized access.
    • Requires that access to switch hardware be restricted to authorized personnel.
    • Recommended actions include placing switches in secure locations and physically removing patch cables or disabling unused ports.

  • MAC Filtering and MAC Limiting

    • Widely supported by manufacturers of wireless LAN hardware and software.
    • Requires signed client-side and server-side certificates from a Certificate Authority (CA).
    • Implementation can be labor-intensive and costly.

Wireless Authentication

  • Pre-shared Key (PSK)
    • A passphrase used to access a wireless network; common access method.
  • Wi-Fi Protected Setup (WPS)
    • Works only with networks that use PSK and WPA2.
    • Allows secure connection without entering the PSK.
    • Steps for WPS:
    1. Push the button on the access point—this enables searching for devices.
    2. Push the WPS button on the device to connect to the access point automatically.
    3. If no button is available, enter the unique eight-digit PIN of the access point.

Authentication Protocols

  • Extensible Authentication Protocol (EAP)
    • A framework that allows various authentication methods.
    • It supports methods such as smart cards, biometrics, and digital certificates.
    • Enables negotiation of authentication characteristics between client and server.
Specific EAP Variants

  1. Protected Extensible Authentication Protocol (PEAP)

    • Creates an SSL/TLS tunnel for secure communication of credentials.
    • Requires server-side certificate for mutual authentication, proving server identity to clients.
    • Developed through collaboration of Cisco, Microsoft, and RSA.

  2. EAP Flexible Authentication via Secure Tunneling (EAP-FAST)

    • Utilizes a Protected Access Credential (PAC).
    • Establishes a TLS tunnel for transmitting user credentials.
    • Vulnerable to PAC interception, mitigated by manual provisioning or using server certificates.
    • A Cisco-developed protocol.

  3. EAP Transport Layer Security (EAP-TLS)

    • Leverages Transport Layer Security to provide robust authentication.
    • Considered one of the most secure EAP standards.

  4. EAP Tunneled Transport Layer Security (EAP-TTLS)

    • An advancement of EAP-TLS requiring only one CA-signed certificate on the server.
    • Simplifies the implementation process.

Network Access Control

  • IEEE 802.1X Port-based Network Access Control
    • Enhances security by requiring client authentication before network access.
    • Implements an architecture of authentication, authorization, and accounting (AAA).
    • Components involved:
    • Supplicant: Device requesting access (e.g., a laptop).
    • Authenticator: Network device acting as a conduit for authentication data.
    • Authentication Server: Validates authentication requests and issues authorizations.
RADIUS Authentication Process
  1. Configuration: RADIUS server and client share a secret.
  2. Connection: The supplicant connects to the network.
  3. EAPoL Activation: Switch instructs the supplicant to authenticate via EAPoL.
  4. Data Transmission: Supplicant sends EAP data to the switch.
  5. Data Encryption: The switch encrypts EAP data and sends it to the RADIUS server.
  6. Credential Validation: RADIUS server decrypts and validates credentials.
  7. Access Granting: RADIUS issues an Access-Accept message to the switch.
  8. Connection Opening: Switch opens network access to the supplicant.

Air-gapped Networks

  • Certain security-critical hosts (e.g., root certification authorities) should not connect to any network.
  • An air-gapped network is isolated; communication is local to air-gapped devices only.
  • Commonly used in military, government, and industrial settings.
  • Management challenges include local administration and the need to scan USB or optical media before use.