Logically Tunneled

Mapping of Devices and Users

The safe and reliable assignment of users and devices to the correct VLAN enhances security and allows for unique authentication and authorization of users. A node is authenticated by the authenticator at the network access point, a physical port on the corporate network, a VLAN, or a WiFi using this method. The authenticator checks the credentials submitted by the node by means of an authentication server and allows access to the services offered by the authenticator (LAN, VLAN, or WiFi) or rejects access. An endpoint is only capable of communication within the allocated network resources after authorization.

The standard recommends the Extensible Authentication Protocol (EAP) or the PPP EAP TLS authentication protocol. Generally, the services of the authentication server are provided by the RADIUS server (Figure 2). The network access port is a connection point between the supplicant and the unit to which it wants access. IEEE 802.1X envisages three possible network access types for the supplicant:

• force-unauthorized: Blocks any access of the supplicant. It does not matter whether the supplicant successfully authenticates.
• force-authorized: Access is always granted to the supplicant. It is not important whether the supplicant can authenticate against the authenticator.
• auto: Requires successful authentication of the supplicant. Once the supplicant has successfully authenticated, access is granted, otherwise access is blocked.

Figure 2: Which user belongs where? Authentication via EAP mostly relies on RADIUS.

One big advantage in the use of IEEE 802.1X is RADIUS Access-Accept messages from the authentication server to the authenticator. RFCs 2869 and 3579 (RADIUS Extensions) describe a large set of attributes provided by the authentication server to the authenticator. Three interesting attributes here are Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID. At the end of RADIUS authentication, the RADIUS server sends an Access-Accept message to the Network Access Server (NAS). If these three attributes are appended to the Access-Accept message, the NAS can now add the supplicant to a VLAN. The VLAN ID is delivered in the attribute Tunnel-Private-Group-ID of the response package.

Conclusions

In this article, I looked at the technical details of VLANs, which help to set up logical network segments. The devices and services are separated at the software and hardware level thanks to network virtualization, and the data streams can be transmitted in parallel. However, VLANs do not provide truly comprehensive security and must be supplemented by additional security measures, where needed.