802.1X Port-Based Network Access Control

From SpinetiX Support Wiki

(Redirected from 802.1X)
Jump to: navigation, search

Applies to HMP400, HMP400W, iBX410, iBX410W, iBX440, and third-party DSOS players.

Introduction

IEEE 802.1X is a standard for Port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to connect to a LAN or WLAN.

The IEEE 802 LAN/WLANs are deployed in networks that convey or provide access to critical data, that support mission-critical applications, or that charge for service. Port-based network access control regulates access to the network, guarding against transmission and reception by unidentified or unauthorized parties, and consequent network disruption, theft of service, or data loss. This allows a network administrator to restrict the use of IEEE 802(R) LAN service access points (ports) to secure communication between authenticated and authorized devices.

The 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server.

  • The supplicant is a client device (such as an HMP or a laptop) that wishes to attach to the LAN/WLAN.
  • The authenticator is a network device that provides a data link between the client and the network and can allow or block network traffic between the two, such as an Ethernet switch or wireless access point.
  • The authentication server is a trusted server that can receive and respond to requests for network access, and can tell the authenticator if the connection is to be allowed, and various settings that should apply to that client's connection or setting. Authentication servers typically run software supporting the RADIUS and EAP protocols.

The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant's identity has been validated and authorized. With 802.1X port-based authentication, the supplicant must initially provide the required credentials to the authenticator - these will have been specified in advance by the network administrator and could include a username/password or a permitted digital certificate. The authenticator forwards these credentials to the authentication server to decide whether access is to be granted. If the authentication server determines the credentials are valid, it informs the authenticator, which in turn allows the supplicant (client device) to access resources located on the protected side of the network.

The HMP400, HMP400W, iBX410, iBX410W, iBX440, and third-party DSOS players have support for the IEEE 802.1X network protocol.

DSOS support

SpinetiX DSOS™ (version 4.5.1 or later) supports 802.1X authentication with numerous WPA, EAP, and PEAP methods, such as WPA-PSK, PEAP-EAP-MSCHAPv2, EAP-TLS, EAP-TTLS, EAP-PWD, EAP-GTC, PEAP-EAP-TLS, etc.

  • For EAP-TLS, EAP-TTLS, and EAP-PEAP methods, an X.509 certificate (PEM-formatted) is required for trust verification of the authenticator - you can provide the Root CA Certificate or any intermediary CA Certificate. The authenticator's server's certificate chain must be verified by at least one CA in the list for the authentication to succeed.
  • EAP-TLS requires mutual authentication using client-side X.509 certificate (PEM-formatted). A client PKCS#8 private key (PEM-formatted), corresponding to the public key provided in the client certificate, must also be provided. EAP-TTLS might require these, as well.
  • RSA digital signature is supported, while ECDSA is not.

Configuration

To configure (simple) Wi-Fi access on the HMP400W or IbX410W, you can connect directly to the player's built-in Wi-Fi access point – this is available since firmware 4.6.0; for players with firmware 4.5.x, either connect them to the wired network and update the firmware, or use the tool below to configure the wireless network. See also how to add multiple Wi-Fi networks.

For more advanced 802.1x authentication, you need to generate a configuration file and apply it from HMP Control Center or from a USB stick. The network configurator tool below might come in handy, nevertheless, good knowledge of the Configuration API documentation, the XML format, binary-to-text encoding (e.g., Base64), and digital certificates handling, is required.

Network configurator tool

SpinetiX provides this network configurator tool to help generate the configuration file for the following authentication methods:

Note Notes:
  • The support for EAP-TLS is deemed experimental, as we don't have the infrastructure to test this authentication method. Your feedback is welcomed.
  • If you need assistance to generate the configuration file for another authentication method, please contact your local SpinetiX Partner or SpinetiX PRO for a service quote.
Note  
This tool can be downloaded from our server for local usage.

See also

This page was last modified on 25 March 2024, at 15:29.