You are implementing remote access solutions to support employees traveling on business. They will connect mobile phones or laptops to corporate networks, on the road or in the hotel, via the unprotected public network. Which of the following is least likely used?
B. eXtensible Access Control Markup Language
C. IPSec VPN with tunnel mode
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. 802.1X.
Extensible Authentication Protocol (EAP)
EAP is not a wire protocol; instead it only defines message formats. Each protocol that uses EAP defines a way to encapsulate EAP messages within that protocol’s messages, such as PPP, RADIUS, 802.1X and etc.
EAP was originally an authentication extension for the Point-to-Point Protocol (PPP). PPP has supported EAP since EAP was created as an alternative to the Challenge-Handshake Authentication Protocol (CHAP) and the Password Authentication Protocol (PAP), which were eventually incorporated into EAP. The EAP extension to PPP was first defined in RFC 2284, now obsoleted by RFC 3748.
RADIUS stands for Remote Authentication Dial-In User Service and was developed to authenticate, authorize, and account (AAA) users. RADIUS is a client/server protocol that runs in the application layer and can use either TCP or UDP as transport. RADIUS is often the back-end of choice for 802.1X authentication as well.
RADIUS protocol can encapsulate EAP messages. It is often used by Network Access Server (NAS) devices to forward EAP packets between IEEE 802.1X endpoints and AAA servers to facilitate IEEE 802.1X.
IEEE 802.1X enables authenticated access to IEEE 802 media, including Ethernet, Token Ring, and 802.11 wireless LANs. It defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802, which is known as “EAP over LAN” or EAPOL (Port-based Network Access Control).
There are three basic pieces to 802.1X authentication:
- Supplicant: A software client running on the Wi-Fi workstation.
- Authenticator: The Wi-Fi access point.
- Authentication Server: An authentication database, usually a radius server such as Cisco ACS*, Funk Steel-Belted RADIUS*, or Microsoft IAS*.
EAP over LAN (Wired)
EAP for Wireless
- Tunnel Mode supports routing and NAT-Traversal and encapsulates the source IP payload.
- Transport Mode modifies the original IP packets and typically to support other tunnel protocols, e.g. L2TP.
- AH is used for authentication; ESP for encryption.
XACML stands for “eXtensible Access Control Markup Language”. The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies.
XACML is primarily an attribute-based access control system (ABAC), where attributes (bits of data) associated with a user or action or resource are inputs into the decision of whether a given user may access a given resource in a particular way.
For example, VPN access can be authorized based on the following rules or criteria:
- Country equals to Taiwan,
- Department is Sales,
- Seniority is greater than 1 year, and
- Connection time is during the office hour
- 802.1X is used to encapsulate EAP messages over LAN (802.3 or 802.11), not VPN.
- The VPN authentication can be completed using EAP without 802.1X (EAP Over LAN).