IEEE 802.1X

IEEE 802.1X is an IEEE Standard for port-based network access control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

The standard directly addresses an attack technique called Hardware Addition[1] where an attacker posing as a guest, customer or staff smuggles a hacking device into the building that they then plug into the network giving them full access. A notable example of the issue occurred in 2005 when a machine attached to Walmart's network hacked thousands of their servers.[2]

IEEE 802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over wired IEEE 802 networks[3]: §3.3  and over 802.11 wireless networks,[3]: §7.12  which is known as "EAP over LAN" or EAPOL.[4] EAPOL was originally specified for IEEE 802.3 Ethernet, IEEE 802.5 Token Ring, and FDDI (ANSI X3T9.5/X3T12 and ISO 9314) in 802.1X-2001,[5] but was extended to suit other IEEE 802 LAN technologies such as IEEE 802.11 wireless in 802.1X-2004.[6] The EAPOL was also modified for use with IEEE 802.1AE ("MACsec") and IEEE 802.1AR (Secure Device Identity, DevID) in 802.1X-2010[7][8] to support service identification and optional point to point encryption over the internal LAN segment. 802.1X is part of the logical link control (LLC) sublayer of the 802 reference model.[9]

  1. ^ "Hardware Additions, Technique T1200". attack.mitre.org. 2018-04-18. Retrieved 2024-04-10.
  2. ^ Zetter, Kim. "Big-Box Breach: The Inside Story of Wal-Mart's Hacker Attack". Wired. ISSN 1059-1028. Retrieved 2024-02-07.
  3. ^ a b B. Aboba; L. Blunk; J. Vollbrecht; J. Carlson (June 2004). H. Levkowetz (ed.). Extensible Authentication Protocol (EAP). Network Working Group. doi:10.17487/RFC3748. RFC 3748. Proposed Standard. Updated by RFC 5247 and 7057. Obsoletes RFC 2284.
  4. ^ IEEE 802.1X-2001, § 7
  5. ^ IEEE 802.1X-2001, § 7.1 and 7.2
  6. ^ IEEE 802.1X-2004, § 7.6.4
  7. ^ IEEE 802.1X-2010, page iv
  8. ^ IEEE 802.1X-2010, § 5
  9. ^ IEEE Standard for Local and Metropolitan Area Networks: Overview and Architecture (Technical report). IEEE. 2014. doi:10.1109/IEEESTD.2014.6847097. 802. 802.1X forms part of the LLC sublayer and provides a secure, connectionless service immediately above the MAC sublayer.