Authentication Protocols (802.1X, EAP/PEAP, EAP-FAST/TLS/TTLS, and RADIUS)
Let’s talk about network authentication protocols that we can use and that we need to know for the CompTIA Security+ exam. We’re going to discuss:
- Extensible Authentication Protocol (EAP)
- Protected Extensible Authentication Protocol (PEAP)
- Remote Authentication Dial-in User Server (RADIUS)
Let’s start by discussing 802.1X.
802.1X is an IEEE standard for port-based network access control (NAC). It’s part of the IEEE 802.1 group of networking protocols, and it’s used to provide authentication mechanisms for secure network access to Local Area Networks (LAN) or Wireless Local Area Networks (WLAN).
Normally, you would see 802.1X being used to describe wired ethernet, and 802.11X to describe Wi-Fi. With that said, most security and networking professionals use 802.1X to describe both wired and wireless networks, so keep that in mind.
802.1X authentication uses three different parties:
- A supplicant
- An authenticator
- An authentication server
The supplicant is a client device such as a laptop, desktop, or mobile phone that’s attempting to connect to a network.
The authenticator is a network device that provides a data link between the client and the network, so that’s going to be your wireless access point or ethernet switch.
The authentication server is a trusted server that can receive and respond to requests for network access and that communicates with the authenticator to either allow or disallow the supplicant.
An example of a protocol that our authentication server could be using is RADIUS. RADIUS stands for Remote Authentication Dial-In User Service and it’s a protocol that provides authentication, authorization, and accounting (AAA) for users in a network.
Other examples of protocols include both TACACS+ and LDAP. LDAP, for example, could be set up to search and modify directories over a network, such as in Microsoft Active Directory (AD).
To make matters even more complicated, you could be using both RADIUS and LDAP, where RADIUS acts as an intermediary service that only handles AAA while contacting other services like the directory service which could be its own or that of a different server. It can communicate with the organization’s directory using LDAP, something called SOAP, or SAML.
Extensible Authentication Protocol (EAP)
To send information from the supplicant to the authenticator, then from the authenticator to the authentication server, and all the way back to the supplicant, we can use something called EAP. EAP stands for Extensible Authentication Protocol, and it’s a standard used for passing messages back and forth. By itself, it doesn’t provide any security features. It just specifies how the client speaks with the authentication server (such as the RADIUS server).
Because we want those messages to be securely transmitted, we can create a secure channel for our messages to go through. We have many options we can choose from to make this happen:
- Protected Extensible Authentication Protocol (PEAP)
EAP-FAST is the first one we’ll look at, and it stands for Flexible Authentication via Secure Tunneling.
It works by creating a shared secret that we call a Protected Access Credential, or PAC. The supplicant receives the PAC from the authentication server and then uses it to set up a TLS tunnel. Once that TLS tunnel is in place, it’s used to transfer data back and forth while remaining encrypted.
EAP-FAST was created by Cisco as an alternative to the next one we’ll talk about, which is PEAP.
The Protected Extensible Authentication Protocol, also known as PEAP, encapsulates EAP messages within a TLS tunnel.
With PEAP, only the authentication server needs to send a digital certificate back to the supplicant. The supplicant doesn’t need to provide a digital certificate back to the authentication server. Once the supplicant receives the server’s certificate, it can then use that to encrypt anything it sends back. We now have an encrypted outer tunnel that can be used to send information.
In addition to this outer tunnel encryption, the supplicant may encrypt it a second time in an inner tunnel using something like MS-CHAPV2 or GTC.
MS-CHAPV2 is Microsoft’s Challenge Handshake Authentication Protocol which comes standard with most Microsoft products, and GTC stands for Generic Token Card, which could be used with a hardware token generator for additional security, or whenever you are outside of a Microsoft environment.
As we saw, there’s also something called EAP-TLS, so what’s the difference between PEAP and EAP-TLS if PEAP uses TLS tunneling?
PEAP can be helpful to use when dealing with legacy systems that wouldn’t be able to support EAP-TLS, because otherwise, EAP-TLS is generally preferred.
EAP-TLS is considered to be more secure than PEAP because it adds additional steps. It requires that both the client (supplicant) and authentication server provide their own digital certificates.
As the client sends a request to authenticate, the authentication server will respond by sending over its server certificate. Then, the client sends its own client certificate back to the authentication server.
The process of validating these certificates is the actual authentication and it’s what creates an encrypted tunnel.
From there, the authentication server will then decide whether to accept or reject the client.
This is an important distinction because it means that even if an attacker compromises the client’s password, they still can’t break into EAP-TLS enabled systems because the attacker would also have to steal the client-side certificate.
A challenge with this approach and a reason why not everyone uses it is because it requires managing Public Key Infrastructure (PKI). Managing certificates in a larger organization can quickly become overwhelming since you have to be able to issue, manage, and revoke these certificates. Older devices may also not support this kind of functionality, and so they wouldn’t be able to connect.
To recap: with EAP-TLS, both the supplicant (client) and the authentication server require a certificate. This provides an advantage over PEAP because the certificates provide authentication which means stealing passwords is no longer enough to gain access — an attacker also would have to steal the client-side certificate.
Then we have EAP-TTLS, which is similar to PEAP. TTLS stands for Tunneled Transport Layer Security which you can use to create an outer tunnel from which you can then tunnel other authentication protocols.
With this approach, a certificate doesn’t have to be issued on every client, just like with PEAP. It can get by with only using a server-side certificate.
Again, this makes EAP-TTLS particularly useful for enabling support when you still have legacy systems on the network.
A major difference between PEAP and TTLS is that PEAP has been natively supported by Microsoft Windows, whereas EAP-TTLS used to not be as widely supported. Users would have had to install additional software to support it on Windows. This isn’t the case with the latest Windows versions, however.
Summary and cheat sheet of authentication protocols
In a nutshell, we now know that:
- EAP-TLS is the ideal solution since it uses digital certificates as opposed to credentials
- EAP-TLS may not be supported with legacy systems or organizations that don’t want to manage PKI
- EAP-FAST is similar to PEAP but it uses a Protected Access Credential (PAC) to set up a TLS tunnel. It was created by Cisco as a replacement for PEAP
- PEAP and EAP-TTLS can be used to support legacy systems or organizations that don’t want to manage PKI
- PEAP has been natively supported by Windows for a long time, so it made the most sense to use if your organization relied heavily on Microsoft products but couldn’t support EAP-TLS
- EAP-TTLS can support less secure authentication mechanisms that we’ll talk about in a future section like PAP, CHAP, and MS-CHAP, so if you have devices that require the use of those mechanisms, you can use EAP-TTLS…but it’s not ideal
- 802.1X is a standard that supports all of these authentication methods and protocols
- 802.1X uses a supplicant, authenticator, and authentication server
- Authentication servers commonly use the RADIUS protocol, which can also work with LDAP, SAML, or SOAP to communicate with an organization’s directory service
- Authentication servers could also just use the LDAP protocol, or even something called TACACS+ (this is explained in section 3.8 of our course)
We have a video lesson describing network authentication protocols in great detail, including every other topic you need to know to pass your exam.