802.1x Love Story in Layer-2 Switches

Sorry friends. I took long gap to publish a blog on educational stuffs. Anyway today I am going to explain one incident, happened during my last training session. So cool down and let’s start the topic!

It was the session on 802.1x Port Authentication. Like my other training sessions, I completed it 15 minutes before the schedule, and switched for funny discussion on same topic. One girl asked me, how I could relate this authentication protocol with my life!

Hmmm… Now your turn!! Could you remember my earlier DHCP blog? I just told similar kind of story on reply of her crazy question. Let’s follow that story!!

One declaration: I have a plan to create another blog site for only technical stuffs without any funny ideas (I will try to avoid. Okay??). Do you wanna like this plan??

However, similar to my earlier blogs on education, this blog is not meant for people who are bit boring or scary to relate funny matters with what they study in their class books or on which they work everyday.

This blog is written, guessing that you have some idea on 802.1x Port Authentication Protocol. And here is a freaky look on same protocol to remember it easily.

802.1x Port Authentication Protocol

Ref: IEEE 802.1X Wiki
802.1x authentication process

Abbreviation:

Xsupplicant Client: Myself
Layer-2 Switch: My lover
RADIUS Server: Her family

I struggled a lot to make my lover agree. Initially she was not talking with me. I don’t know, why girls ignore guys at the beginning! OK leave this topic here. Because my main focus is to explain, how she became agree to marry me and what steps I followed to impress her as well as her parents to make them agree on my proposal.

In this love story, I bravely initiated the proposal as “EAPOL-Start” packet for the girl (with whom I was in love) with the information like- who am I, where I am staying, what is the purpose for initiating EAPOL-Start packet.

She took some time. However she agreed with my proposal and replied as message called “EAP-Request” adding own identity information including some hints on the process to be followed while talking with her parents. Because it was huge chance to get EAPOL-Reject/NAK message for my single mistake.

I had three options:

  • EAP
  • EAP-TLS
  • EAP-MS-CHAP v2 & EAP-TTLS
MD5 Authentication Method

EAP process is very easy. It just believes on PASSWORD with MD5 authentication method. So I thought, it will not be a good choice to choose. Because it’s rarely seen that girl’s parents agree on marriage proposal, knowing just name and cast information of a guy.

TLS Authentication Method

So my next choice was EAP-TLS. But before I explained on this method, one of brilliant guys explained it!

EAP-TLS uses the Transport Layer Security (TLS) public key certificate authentication mechanism within EAP to provide mutual authentication of client to server and server to client. With EAP-TLS, both the client and the server must be assigned a digital certificate signed by a Certificate Authority (CA) that they both trust.

Nicely explained and I appreciated him for information shared. As I didn’t have much information on her parents like- how are they? what type of guy they are looking for their daughter etc etc. So dropped my second choice. Also I expected faster & more secure communication media during discussion with her parents. So I had third choice as EAP-MS-CHAP v2 (which is available only with PEAP). Suddenly another guy started explaining PEAP method.

PEAP Authentication Method

PEAP is an authentication method that uses TLS to enhance the security of other EAP authentication protocols. PEAP provides the following benefits: an encryption channel to protect EAP methods running within PEAP, dynamic keying material generated from TLS, fast reconnect.

“Ordinarily EAP-PEAP uses TLS only to authenticate the server to the client but not the client to the server.  This way, only the server is required to have a public key certificate; the client need not have one”, I added.

TTLS Authentication Method

Listening this explanation, one of girls wanted to know, why I didn’t choose EAP-TTLS by adding its benefits in front of all.

The Tunneled TLS EAP method (EAP-TTLS) is very similar to EAP-PEAP in the way that it works and the features that it provides. However the difference is that instead of encapsulating EAP messages within TLS, the TLS payload of EAP-TTLS messages consists of a sequence of attributes.  By including a RADIUS EAP-Message attribute in the payload, EAP-TTLS can be made to provide the same functionality as EAP-PEAP.  If, however, a RADIUS Password or CHAP-Password attribute is encapsulated, EAP-TTLS can protect the legacy authentication mechanisms of RADIUS.

I calmly explained that I had no interest to use any PROXY while communicating with her parents. So EAP-MS-CHAP v2 was the better choice at that time.

Listening this hidden story, all people in the training room started wishing for my marriage. But I stopped them at the middle and told that it was just a story, not a real fact!! I could feel, why girls threw nice smiles at me after my last statement!! Anyway training was ended with a joyous environment. But you have full rights here to ask any query on 802.1x protocol.

Advertisements

2 thoughts on “802.1x Love Story in Layer-2 Switches

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s