Click here to Download PDF Version of this Article

Using 802.1x Port Authentication To Control Who Can Connect To Your Network

Author: Colin Weaver Company: ITdojo, Inc. Last Revision: 1/31/05

On more than one occasion I have been asked something along the lines of, “How do I keep people from bringing their own personal equipment in to the office and connecting it to the network?” It’s a common problem and I hear it from a lot of admins from all walks of life.

Since most of us live in a DHCP world it’s particularly difficult to keep rogue devices off our network. In the simplest scenario all a user has to do is bring in a hub or switch from home and connect it to the drop that normally goes to their PC. After that they can connect pretty much whatever they want and, since you’re running DHCP in your shop, you happily (though unknowingly) give them an IP address. Despite having signed their understanding of the corporate security policy when they joined your company users could really care less whether or not the network is secure. All they really want is for the network to work without problem and in a way that’s convenient for them, which includes being allowed to add their own devices to the network. Here are a few scenarios to illustrate the problem:


Scenario #1:

Normal network with a user PC connected to an Ethernet switch. The user PC obtains an IP address from the DHCP server when it enters the network. All is right in the world.


Scenario #2:

User brings in his own switch or hub and connects it to the network in place of his company PC. The user then connects his personal laptop and the company PC to the hub. Both the company PC and the personal laptop obtain an IP address from the DHCP server. The user’s personal laptop is now on the network. Here’s a list of some of the bad things that could happen:

  • User could steal data from the network by copying it directly to his laptop
  • User laptop could be infected with a virus/worm that could infect your network
  • User could install software from network shares (software piracy and licensing issues)
  • User could waste their day playing games
    • Don’t get me wrong, games are important. I would,however, get pissed if I was paying someone $50/hr. to play them.
  • User could make use of protocols and/or programs that are in direct violation of corporate security policy (yeah, like we all actually have those things written out)
  • Blah, blah, blah… and on and on and on. You get the point.

Scenario #3:

Perhaps the worst possible scenario is when a user brings in his own wireless access point (AP) so he can have wireless connectivity with his personal laptop while at work. If you haven’t already experienced this in your own shop, you will. This is becoming increasingly common and the users usually put these in without any form of protection at all; no WEP, no TKIP, nothing. Just an open access point with no encryption required. This scenario makes not only the user’s laptop a DHCP client but it also makes every knucklehead within RF (radio frequency) range of the AP a potential DHCP client. The potential for something bad happening shouldn’t have to be spelled out for you on this one. If it does, drop me an email (colin(a) and we’ll chat.

Here’s a list of all the bad things that could happen:

  • Everything from Scenario #2 but now it applies to anybody in the area who has wireless network card in their laptop, PDA, etc. At least your users actually work for you. Now you’ve got Laurie from the accounting firm next door connected to your network (and she probably doesn’t even know it). It is very common for un-knowing users to associate with the wrong access point and not realize a problem. You’re severely screwed if someone comes by who knows what they’re doing and what they’re looking for.
There are a variety of ways to prevent these situations from happening. It is likely that you will deploy multiple solutions to prevent a lapse in one from allowing something like this to happen (e.g. defense-in-depth). Some (no, not all) ideas that come quickly to mind on how to mitigate the likelihood of this happening are:
  • Strong physical security
    • Physical inspection of user work area on a regular basis
    • RF inspection of the area on a regular basis (rogue access point detection). You should do this even if you don’t have wireless connectivity as part of your normal network.
  • A corporate security policy with some teeth.
    • If only we could say, “Pull some shit like this and you’re fired…”, to our employees. Alas, the old phrase, “…disciplinary action up to and including the possibility of termination”, will have to suffice for most of us. It sucks that saying what you really mean isn’t kosher.
  • Port security using a maximum number of MAC addresses per port (one MAC per port for access layer switches, for example.)
    • By defining a maximum number of MAC addresses per physical port, especially on access layer switches, you can greatly reduce the likelihood that an uneducated user will be able to make use of your network in ways you don’t see fit.
  • Port security using 802.1x authentication
    • By requiring devices connected to ports to authenticate to an authentication server (RADIUS or TACACS+) before being allowed to transmit frames you can also greatly reduce the likelihood that a user will be able to insert a rogue device.

The purpose of this article is to explore the latter option: using 802.1x authentication. I’ll save the other topics for a different day.