What is 802.1X?
802.1X is an IEEE industry standard for port-based network access control, to help protect an enterprise network from unauthorized devices. 802.1X provides an authentication mechanism for devices attempting to connect to a network, whether wired or wireless.
802.1X has several entities that take part in the authentication transaction:
|Client||A client is the endpoint/device attempting to access the network. The endpoint is required to undergo authentication. Clients can be authenticated based on user credentials/certificates, or by device credentials/certificates. A Client does not communicate directly with the RADIUS server. It has its access request relayed by the authenticator or NAS – which will typically be either a wired switch or a wireless access point.|
|Supplicant||Most devices such as computers, servers, laptops, VoIP phones, etc., have embedded software that handles the endpoint’s side of the 802.1X authentication sequence; this software is called a supplicant.|
|MAC Authentication Bypass||If an endpoint does not have a supplicant, such as some printers, refrigerators, TV’s, etc., the endpoint is then authenticated in an 802.1X environment by its MAC address. This method is called MAC Authentication Bypass or MAB and is essentially whitelisting known MAC addresses.|
|Authenticator||The network access entity (NAS), located between the client and the authentication server|
|Authentication Server||This executes the authentication of endpoints and is typically a RADIUS server.|
Here is an example of the authentication workflow for clients which have a supplicant:
And here is an example of an authentication workflow for clients which do not have a supplicant, or whose supplicant is not configured:
Provided that the endpoint (supplicant) authenticates successfully, or its MAC address is found in the repository (MAR), the endpoint is allowed on the network.
Limitations of 802.1X
802.1X does a good job of restricting initial access to the network, but the problem with using 802.1X alone as a network security mechanism is that once a host authenticates, or is allowed by its MAC address, no further host inspection takes place. The host is “authenticated”, but the host may pose serious security risks to the internal network due to its security posture, patch status, compliance status, etc. This leaves the network vulnerable to malware, configuration vulnerabilities that increase the attack surface, and several other potential problems.
802.1x + Post-Authentication Checks – The Better Approach
True network security doesn’t stop at port-based authentication as 802.1X does. That’s why using Forescout as the RADIUS server/802.1X solution makes sense. Forescout not only performs the standard 802.1X authentication transaction, but once the host is authenticated, Forescout can perform host profiling, inspection, and other compliance checks. In essence, the host is checked “pre-connect” and is also checked “post-connect”.
The ACES Advantage
ACES engineers are experts in deploying Forescout as an 802.1X solution, with a multitude of successful 802.1X deployments. We understand the challenge of transitioning a network to 802.1X authentication, as well as the infrastructure configuration and testing that must take place with minimal impact to the network and to your users.
Once we have your 802.1X solution in place, we can also provide expertise in taking your endpoint security to the next level – not stopping at simple authentication, but also leveraging host profiling, deep host inspection, policy-based compliance checks, and then taking network actions based on these findings. Network actions can include using the RADIUS server to change the authorization of the endpoints, but other network actions can be performed as well - including VLAN changes, application of endpoint address or port-based ACLs, etc.
Organizations which rely solely on authentication as a means of endpoint and network security may have a false sense of security. Leveraging Forescout as your 802.1X solution means you can obtain real-time visibility into every connected endpoint, as well as the ability to profile and inspect endpoints for compliance. That’s what it takes to provide true security in today’s modern network with its wide variety of endpoint types, including IT, OT, and IoT devices. ACES can help you achieve true network and endpoint security with a Forescout based 802.1X solution.