802.1X is a standard for network access control. It defines how to provide authentication to devices trying to connect to other devices in LAN or wireless LAN. It provides the Extensible Authentication Protocol (EAP), an authentication framework to secure information during the network authentication process.
Authentication in 802.1X networks includes 3 parties:
- supplicant – client who would like to authenticate to the network
- authentication server – authenticates requests for network access and applies policies, typically management by RADIUS
- authenticator – network device relaying information between supplicant and authentication server
EAP can be configured to use credentials like username/password or digital certificates to authenticate client and grant access to network. Therefore, the the Identity Provider (IdP) is important part of the 802.1X network.
IdP comes in many variations, the most common is MS Active Directory or LDAP, where user information is stored. RADIUS can connect to these IdP to validate credentials. Google, Facebook, or Microsoft can also be an IdP using different mechanisms like SAML, or OpenID Connect.
All of these IdPs have something in common, we need to provide username/password in order to authenticate. However, entering credentials does not currently provide the best user experience and can be very slow at times, as it includes many steps from 802.1X point of view.
Fortunately, we have the alternative in the form of digital certificates.
The benefits of EAP-TLS
Described in RFC 5216, Transport Layer Security (TLS) provides for mutual authentication, integrity- protected cipher-suite negotiation, and key exchange between two endpoints.
EAP-TLS is generally strongest EAP type in situations where server provides its identity as a digital certificate, requesting the same from the client. When the TLS tunnel is successfully established, exchanged symmetric encryption key is used to protect data over the network.
It is also one of the fastest EAP types because it requires only about 12 steps in order to authenticate client.
When it comes to security, there are few prerequisites that must be in place:
trusted public key infrastructure (PKI) issuing client and server certificates
initial certificate provisioning process for the clients
certificate lifecycle management to avoid expired and untrusted endpoints which can cause unavailability of network
validation procedures for the certificates as identities
Public or internal PKI can provide us with certificates based on its policies and procedures, including the provision of relevant information we need in order to validate the identity. Like revocation list (CRL) or online protocol for validation of certificate status (OCSP).
Let’s focus on how we can do the provisioning of the identity and manage its life-cycle in an automated way. This is very important especially in a hybrid environment where we expect different clients to be connected to the network.
Digital certificate enrollment
When operating homogenous environment, certificate enrollment can be a simple task.
For example, to achieve the 802.1X network in a purely Microsoft-based environment requires the deployment of Windows Certification Authority server with MS auto-enrollment enabled and a Network Policy Server. Then you need to push GPO to all endpoints which are in domain.
Also, in Microsoft environment, you can have clients which are not joined in the domain and therefore you are not able to enforce policy and auto-enrollment. We need to have a systematic and automated approach how we can enroll and provision client certificates in heterogeneous and hybrid environments, where many kinds of devices and clients, running on different operating systems and applications are expected.
Automation is in this case very useful as the number of clients can be high and we do not have usually the capacity to handle all requests to enroll and issue certificates. It will also protect the process against the human error.
We are looking to automate the following procedure:
- client generates asymmetric key pair; the private key should be securely stored inside cryptographic device such as hardware security module (HSM), USB token, smart card, or in protected secure key store
- client prepares certificate signing request (CSR), signed by the private key generated in previous step
- CSR (and other required information) is delivered to the registration or certification authority to issue certificate (clients as entities can be registered before the CSR is delivered)
- CA will issue the certificate
- Certificate is provisioned to all locations, including client, where it should be in order to establish trust in 802.1X network (depending on validation procedures and PKI practices)
Client will store the certificate (which is a public information) and can request access to 802.1X network with EAP-TLS.
Automation of certificate life-cycle management
When it comes to automation of certificate life-cycle procedures, we mean standard interfaces and protocols like:
- Simple Certificate Enrollment Protocol (SCEP)
- The Automatic Certificate Management Environment (ACME)
- Enrollment over Secure Transport (EST)
- Certificate Management Protocol (CMP)
- Microsoft Auto-enrollment
All of these can help us to automate certificate enrollment. However, it is not so simple in most cases. We have clients which does not support any of standard interfaces and protocols and we have specialized devices which need special configuration. You can imagine many other similar use cases.
In this case we’re bringing the orchestration and automation platform AppViewX, which will help us with enrollment and certificate provisioning automation. AppViewX can act as a registration authority which can handle all interfaces and protocols (including custom APIs) and also side connections to multiple different certification authorities, see the diagram below for better understanding:
Moreover, we can use strong workflow engine of AppViewX to design custom enrollment API which then can be used to initialize devices or clients with appropriate credentials and other relevant information.
It is extremely useful in case when new devices needs to be connected in heterogeneous environment since we do not have to spend ages by configuration and personalization of the device.
Building the workflow
Using the workflow engine, we will build an automation of above-mentioned procedure for initialization of device and provisioning of the certificate. Based on the workflow, the procedure from the operation point of view should be the following:
- connect device into restricted network (without authentication, restricted to only access single service)
- after booting, device generate key pair, produce CSR, and send information a REST API exposed by our workflow
- based on the workflow design, establish communication with the CA and request enrollment of the device
- (optional) based on device identification, it can be registered in CMDB, you can generate host-name for the device in DNS, create ticket in ITSM tool, and you can trigger many different actions you need in order to successfully establish the device
- get the issued certificate and store it locally for the 802.1X EAP-TLS authentication
The simple workflow can look like this:
All you need to do is to initially connect the device to a segmented network, where it can send request for the initialization to the workflow represented by REST API.
In a few seconds you will receive a message that the device was successfully initialized and has its own unique and trusted certificate. Now it can be connected to 802.1X network, authenticate through EAP-TLS and start communicating with authorized services.
Get in touch with us to know more!
We can help you to streamline operations and build more effective procedures. If you are struggling with 802.1X network access control, do not hesitate and contact us!
EAP-TLS can be very affordable, and you will have all of its benefits, starting with enterprise grade network security.
Our collaboration with AppViewX brings many new use cases and you can rely on recognized experts in the field of network automation and certificate lifecycle management.
If you like what we are doing, then contact us for more information! We believe that we have experience and knowledge that can be a benefit for your business.
We are also on LinkedIn, follow us!