How to do 802.1x hacks for port security for physical access and IP video – and how to get around it!
First we need to take a look what 802.1x actually is, then we show how to get around it.
What is 802.1x?
802.1x security allows port based access control – essentially answering how can a user join and be authorized to join a network before they get an IP address. here is a great 802.1x whitepaper and TP link has a great instruction on how to build up an 802.1x access authentication.
Needless to say there are hacks regarding building management systems and other 802.1x hacks where credentials are obtained using a rogue AP and radius server.
I’d say most of them can be avoided by proper setup. Bosch explains how to secure the edge of the network and Computerworld provides a good overview of how 802.1x works.
How does 802.1x work?
Basically there are four parts:
Authenticator (Allows access to the network)
Authentication Server (decision maker, e.g. radius server)
User Database (SecurID, Active Directory)
Untrusted and trusted is clearly differentiated through the authenticator. That means an untrusted source can send a lot of data to the trusted source. This video really explains it well: https://www.youtube.com/watch?v=5trx84tn-qQ
At the core of 802.1x is EAP – extensible authentication protocol which comes in four standards:
These four methods provide mutual authentication, which limits man-in-the-middle threats by authenticating the server to the client, in addition to just the client to the server. Furthermore, these EAP methods result in keying material, which can be used to generate dynamic WEP keys.
They talk to a Radius server – a remote access dial-in user service. It allows key discovery by changing keys often and using different keys for each client Rogue APs and man-in-the-middle attacks by performing mutual device authentication Unauthorized access by authenticating users and computers It does not solve: Packet and disassociation spoofing because 802.1x doesn’t use a keyed MIC.
How to get around 802.1x and avoid it
Could we get around 802.1x using MAC locking or MAC based authentication? EAP is far more secure than MAC locking. An attacker could find the device Mac address e.g. by snooping traffic, and then fake it on the laptop. He can’t fake EAP traffic even if he can captures a valid session start. So we shouldn’t do MAC locking as alternative.
What we suggest is: Configure the ethernet port to tag a VLAN just for that device – on the router, allow that VLAN to only exit the internet on the specific port and that should be enough to securely authenticate that device on the network.