LAN Access Authorization
While the concept of access authorization to a network is important for wired networks such as Ethernet LANs, it is even more significant in wireless local networks. These networks present a unique set of issues, because the only restriction to access them is radio signal strength. There is no wiring to define membership in a network, and no physical method to restrict a system in radio range from becoming part of a wireless network. X-Calibur’s PNAC implementation, based on the IEEE 802.1X standard, authenticates devices and users connected to a LAN on a per-port basis, so that access is restricted to authorized entities.
X-Calibur’s 802.1X framework is based on the IETF Extensible Authentication Protocol over LAN (EAPoL) messages. 802.1X defines an authentication dialog between the system needing network services and the network. This involves establishing identity in order to gain authorized access by binding a name to something known, such as a MAC address, and then using that name in all future interactions. 802.1X requires entities to play three roles in the authentication process: the device seeking network access i.e. the client to be authenticated ("Supplicant"), the server performing the authentication ("Authentication Server" or "AS"), and the device responsible for granting access based on authorization from the AS ("Authenticator"). The Supplicant and Authenticator coordinate with each other by using controlling logic called the Port Access Entity (PAE).
X-Calibur implements the 802.1X PAEs for Supplicants and Authenticators, allowing seamless integration of this functionality in embedded devices, and enabling communications to any standard AS in multi-platform networks. X-Calibur defines two logical ports of access between the Supplicant and the Authenticator: controlled and uncontrolled. A controlled port only accepts packets from authenticated nodes, whereas an uncontrolled port accepts all packets. When in an unauthorized state, the Authenticator PAE filters out all traffic from the Supplicant to controlled ports. The Authenticator PAE communicates with the Supplicant PAE via EAPoL protocol data units (PDUs) allowed to go through the uncontrolled port in order for the authentication process to complete. Once authentication is successful, the controlled port is enabled and the Supplicant is granted access.
While 802.1X provides for an interoperable authentication PDU transport, it does not dictate or provide the authentication mechanism. X-Calibur allows the use of a number of EAPoL based authentication protocols such as passwords, EAP-TLS (EAP over Transport Layer Security), EAP-TTLS (EAP over Tunneled TLS), EAP-Kerberos, PEAP (Protected EAP), one-time passwords, etc. These protocols can be deployed over X-Calibur using built-in APIs that allow the Supplicant or Authenticator to easily implement EAPoL interfaces to standard servers (e.g. RADIUS Authentication Servers) for packaging EAP messages in link-layer frames.
The WPA industry standard and the upcoming 802.11i standards specify the use of 802.1X for station authentication. In WLAN infrastructure mode, X-Calibur can provide the Supplicant PAE functionality for stations as well as an Authenticator PAE implementation for access points. Authentication is typically achieved by identifying a station by its MAC address, and determining its level of authorization in the AS. X-Calibur APIs can be used to act as an EAP proxy between the Supplicant and AS, and pass-through EAPoL frames which a RADIUS server will interpret as EAP message attributes. The AS then provides the authentication state of the supplicant to the authenticator via the secure RADIUS channel between the two, and also provides for dynamic re-keying transparent to the end-user. Other EAP mechanism implementations are also possible using the same APIs.
The X-Calibur framework contains APIs and abstractions to integrate the client or the server of any EAP based authentication protocol to the Supplicant or Authenticator module respectively. It also includes flexible hooks to configure the operational parameters of the Supplicant and Authenticator. Management capabilities include the ability to maintain and retrieve the Authenticator statistics through a MIB interface, and to override the protocol by statically configuring the access control of an authenticator port. X-Calibur’s 802.1X implementation also supports the ability to transmit key information from the Authenticator to/from the Supplicant once authentication is successful, if the server supports it. Reference implementations for various EAP types is included including EAP-TLS, PEAP and EAP-TTLS.