Introduction to 802.1x with EAP-TLS

Cisco ISE:802.1x with EAP-TLS 

Client/server authentication and access control is defined in the 802.1x standard, preventing unauthorized clients from connecting to a LAN through publicly exposed ports unless they are authenticated. Prior to allowing the switch or the LAN to provide services, the authentication server authenticates every client connected to a switch port.

Passing credentials, such as passwords or certificates, is done by the supplicants on the endpoints using Extensible Authentication Protocol (EAP).

The payloads of EAP are typically transported through Ethernet networks through the 802.1X protocol (EAPoL, or EAP over LAN) and through IP networks using RADIUS. By evaluating the identity of an endpoint, the ISE instructs the associated network device.

A phase known as EAP negotiations takes place before the authentication process to determine which particular EAP method (and inner method, if applicable) should be used.

Fig 1.1- 802.1x with EAP-TLS 

EAP-based authentication Process:
A network device passes EAP messages through RADIUS to the host and ISE. By exchanging EAP messages in this manner, the initial set of EAP messages negotiated the specific EAP method to be used for future authentication.

These EAP messages are then exchanged to provide the necessary data for authentication to take place. Credentials can be validated by Cisco ISE via an identity store when required by the EAP protocol.

Secure identity transactions will be provided via EAP-TLS (Transport Layer Security) for corporate mobile devices. An encrypted connection is formed between a web browser and a secure website in a manner similar to SSL.

EAP-TLS provides the advantage of being an open IETF standard and is considered universally supported. EAP-TLS uses X.509 certificates and supports mutual authentication in which the client trusts the server's certificate and the server trusts the client's certificate. EAP-TLS is considered one of the most secure EAP types since password submission is not possible. A private key is still required at the endpoint.

This mode consists of three types of deployment namely open-mode, low-impact-mode and closed-mode. We will discuss these modes in our next article