Wired 802.1X - LAN Port Security


What is Wired 802.1X?

Wired 802.1X is similar to using authentication on a wireless network.

Authentication credentials (with Pre-Shared Key or 802.1X) are used on wireless networks because access to those networks is not easily controlled, otherwise an unauthorised user that is within range of the wireless network could easily gain access to an internal company network.

In an environment where an unauthorised user can have physical access to the routers LAN ports, such as a router installed at a teleworkers home, or where access to the router's LAN ports cannot be physically secured, ensuring that only authorised users have access to the internal network over either a wired or wireless connection is equally important.

Wired 802.1X authentication can be performed using certificates on both the server and client (EAP-TLS) or with a username and password (PEAP), this usually requires a RADIUS server (Remote Authentication Dial-In User Service) but many DrayTek routers support operating as a RADIUS and 802.1X server using locally stored credentials with User Management accounts.

When a device is connected to a LAN port on the router with 802.1X authentication enabled, no traffic can pass through that port initially, it is challenged to send authentication details which are passed by the router on to the authentication server for validation, which can then either give a "success" or "failure" response.

If the RADIUS Challenge and Response is successful, the router will then allow traffic to pass through that LAN port.

When the network cable is disconnected from that port, the port state resets and any device connected will need to provide authentication details. This means that if an laptop has been successfully authenticated it would not be possible to gain access to the network by just unplugging the laptop and immediately connecting a new device, that new device would be challenged to authenticate.

If the router receives no response to the authentication request, the port is shutdown and cannot pass traffic.

If the authentication attempt fails, the LAN port is unable to pass traffic, preventing it from communicating with the router or the local network in this state.

It's not possible to bypass this protection with a switch or access point because the Wired 802.1X authentication will only allow a single device to authenticate on that port, any additional devices would be ignored by the router.

Port Security and VLANs

The VLAN facility on DrayTek routers gives additional flexibility in that access to an internal or private network could be applied to just specific ports which could then have Wired 802.1X enabled.

Other ports on the router that do not require Wired 802.1X authentication could be limited to accessing a guest VLAN network only, with Internet access but without access to company resources.