Question

Explain why IEEE802.1X Link layer Security with a RADIUS server is not enough to achieve the desired goals of the IT Team in this case study.

Answer 1

Explain why IEEE802.1X Link layer Security with a RADIUS server is not enough to achieve the desired goals of the IT Team in this case study.

What is IEEE802.1X ?

Devices attempting to connect to a LAN or WLAN require an authentication mechanism. IEEE 802.1x, an IEEE Standard for Port-Based Network Access Control (PNAC), provides protected authentication for secure network access.

An 802.1x network is different from home networks in one major way; it has an authentication server called a RADIUS Server. It checks a user’s credentials to see if they are an active member of the organization and, depending on the network policies, grants users varying levels of access to the network. This allows unique credentials or certificates to be used per user, eliminating the reliance on a single network password that can be easily stolen.

Why Radius server is required for IEEE802.1X and why is not enough for to achieve the desired goals of the IT Team?

The RADIUS server acts as the “security guard” of the network; as users connect to the network, the RADIUS authenticates their identity and authorizes them for network use. A user becomes authorized for network access after enrolling for a certificate from the PKI (Private Key Infrastructure) or confirming their credentials. Each time the user connects, the RADIUS confirms they have the correct certificate or credentials and prevents any unapproved users from accessing the network.

A key security mechanism to employ when using a RADIUS is server certificate validation. This guarantees that the user only connects to the network they intend to by configuring their device to confirm the identity of the RADIUS by checking the server certificate. If the certificate is not the one which the device is looking for, it will not send a certificate or credentials for authentication. This prevents users from falling victim to an Evil Twin proxy attack.

RADIUS servers can also be used to authenticate users from a different organization. Solutions like Eduroam use RADIUS servers as proxies (such as RADSEC). If a student visits a neighboring university, the RADIUS server can authenticate their status at their home university and grant them secure network access at the university they are currently visiting.