It’s important to understand the components involved in making 802.1X authentication work before diving into the setup. There are three components used in 802.1X, the Supplicant, the Authenticator, and the Authentication Server.
Supplicant – This is the client or end user device that is attempting to gain access. This can be a Phone, Laptop, Tablet, or any network device that needs to gain access to network resources.
Authenticator – This is the device that acts as the middleman in the authentication process. It also acts as the bouncer to the network, leaving the controlled port blocked until authentication has successfully occured through the uncontrolled port. This is typically the Access Point or Controller in a wireless network.
Authentication Server – This is a server that will support RADIUS and EAP and will authenticate the credentials of the supplicant. This server will very often be a Windows NPS server, but can also be FreeRADIUS, Cisco ISE, ExtremeAccessControl (formerly NAC) or a number of other RADIUS servers.
802.1X Authentication Process
The 802.1X authentication process involves many steps. It’s good to know the sequence of events that occur in order to properly troubleshoot any authentication problems. The following is a brief explanation of an EAP-PEAP authentication.
PEAP Phase I
The process begins when a supplicant connects to an SSID using 802.1X/EAP security. The supplicant will sent an EAPOL start to begin the authentication process. The authenticator will the reply with an Identity Request. Because an encrypted tunnel has not been created at this point, the client will respond with a bogus username. The Authentication server will then reply with an EAP-Request and will also send the server certificate. The supplicant will then validate the server certificate and establish a TLS encrypted tunnel through which the remaining authentication will occur.
PEAP Phase II
Once the TLS tunnel is established, the Authentication Server will send an EAP-Request/Identiy to which the suppliant will respond with an EAP-Response/Identity that will contain the real user credentials. The Authentication server will then verify the credentials and send a EAP-Request/Success message to the suppliant. Once the supplicant has been successfully authenticated, the 4-way handshake can begin.
The 4-way handshake is an exchange that creates the keys used to encrypt all communication between the supplicant and the authenticator. The authentication server will provide both the supplicant and authenticator with a MSK (Master Session Key) after the EAP authentication completes. This MSK will be used to create the PMK (Pairwise Master Key) and the GMK (Group Master Key). The PTK (Pairwise Transient Key) is derived from the PMK, nonces (random values created by the supplicant and authenticator), authenticator address and supplicant address. The GTK (Group Temporal Key) is derived from the GMK by the Authenticator and is distributed to multiple supplicants on the same SSID.
The PTK is used to encrypt all unicast traffic. It is unique to each supplicant. The GTK is shared used to encrypt all multicast/broadcast traffic. It will be the same on all supplicants communicating through the authenticator.