It’s been a while since I’ve gone geek. I’ve got the itch. So, this week we’re going to talk about 802.1x, which is a port level authentication used on Ethernet Switches. A LOT of customers have been bringing this up in conversations lately. So, this is a timely topic. I’m a little surprised, actually, about how much it’s coming up. It wasn’t a very common thing not so long ago. But we’re definitely seeing more customers asking about our support of it in the telephony world. The good news is that Avaya’s data gear and IP Phones fully support 802.1x. So, let’s dive in and give you the details so that you can have an appropriately intelligent conversation about it. What’s really important is that Avaya supports it better than a lot of their competition.
First, a little background. There are a number of ways to look at security on a data network. Most people first think of the usernames and passwords they use to access their computer. Think of this as an Operating System level authentication. It’s main purpose is to prevent people, who have gained physical access to your PC, from being able to access your stuff. This has obviously been expanded since most PC’s have various ways to access them remotely. This also applies to the applications and application services that the PC is running. Next, we think of the usernames and passwords that are used to access network resources, such as your email server, or file servers, etc. Microsoft has done a fantastic job over the years to facilitate the coordination of those passwords. From a central management point, called a Domain Controller, we can use a user directory (ie Active Directory) to authenticate a user. The system will make sure that the password used to access resources is synchronized to the one tied to the user’s PC. This is what makes it so you don’t have to re-type in your password with every new Microsoft Server you want to access.
The problem is that most business don’t have 100% Microsoft products. You have a lot of other vendors of hardware and software out there. Often, those other resources don’t integrate to Active Directory. And while this isn’t necessarily a bad thing, it does mean that the network administrators now have a concern that some rogue networked resource may not have the best security (ie unencrypted data, strong passwords, hackable protocols, etc). Don’t read that to mean that a Microsoft infrastructure is more secure than a non-Microsoft infrastructure. Hardly. BUT, Microsoft does offer administrators very powerful tools such as Group Policy, Asset Managers, and Configuration Managers, to enforce adherence to desired policies and versioning as it relates to user and server deployments. BUT, it raises the question of “Are we as secure as we should be”. It’s at this point that network guys realize that if some bad guy were to be able to get on the data network, it is possible that they could hack into our servers. This is where Layer 2 security comes in. If I could force a device to authenticate to the Ethernet switch itself, a bad guy would never even get on the network to be able to hack into anything. You may say that your Ethernet ports are physically secure and this becomes a non-issue. This is false. Even a simple example of a Lobby phone invalidates that assumption. It is possible that a hacker could walk in to your lobby, unplug the Ethernet cable from the phone in that lobby, and plug it into their PC. They’re in. Let the hacking begin. Do we believe that the receptionist will be bored enough to be paying attention to this? Or could tell the difference between normal lobby activity and a hacking event? I’d say no on both questions.
802.1x lives at Layer 2, meaning that it is an Ethernet Switch concept. Ethernet switches can be programmed to block all traffic on a specific port until a user authenticates to the port itself. Without layer 2 connectivity, you can’t work your way up to Layer 3 (IP Addresses), to layer 4 Network Transport, or all the way up to the final destination of the Application Layer at layer 7. There are other ways to provide port level security at Layer 2, but they’re very painful. For example, just about every Ethernet Switch on the planet allows you to define allow only a specific MAC address to a port. A MAC address is that crazy 48 bit, burned in, hard coded number that EVERY Ethernet connected device has. It tends to look something like 00:12:FA:44:3C:1B. You can even tell most switches to automatically learn the MAC address of the first device that gets plugged into a port, and never learn another one until the administrator resets the learning process of that port. But again, this is hardware oriented, very manual, not easy to maintain, and does not let a user move their device from one place to another. Mobility grinds to a halt.
802.1x blends the hardware side of this to a user level authentication. However, this requires the hardware device (like a PC, or an IP Phone, or anything) to know how to talk 802.1x. If it does, it is called the Supplicant. Think of the Supplicant as the Client side of the process that attempts to authenticate to the Server side of the process. The server side of this negotiation is called the Authenticator. So, the Supplicant authenticates to the Authenticator. Now, it is unlikely that an administrator would want to program a bunch of user accounts into an Ethernet Switch. Or worse, each user on every one of your Ethernet switches. For this reason, we usually tell the Ethernet Switch to go check with an external user directory to validate the user’s credentials. In 802.1x terms, this external user directory is called the Authentication Server. Almost everyone uses RADIUS Servers for this. RADIUS stands for Remote Authentication Dial-In User Server. Don’t worry about the “Dial-In” part of this. It just shows how old this protocol really is. It works great for all modern connectivity. Some companies will actually set up a standalone RADIUS server. But, this usually means separate usernames and passwords that need to be remembered by your users. Most companies, will simply run a service on their Active Directory servers that allow them to respond to RADIUS requests, authenticating them to the same user directory that you would log into your PC with. Prior to Windows Server 2008, this Plug-in was called Internet Authentication Services. As of Windows 2008, it is now called the Network Policy Server. It’s a “free” component that you can turn on, on any licensed Windows Server.
As I mentioned earlier, for this to work, each device on the network will need to support 802.1x. This includes all the PC’s. This is easy. Windows XP, Vista, 7, and 8 all have built in 802.1x support. But the IP Phones will need it too. The good news is that all of Avaya’s IP Phones support 802.1x. The only exception is that the Flare ADVD A175, only supports it on the wireless interface, NOT the wired interface. Avaya’s IP Phones are even smart enough to allow 802.1x Supplicant Pass-through. This means that the PC that connects to the network through the IP Phone can have its 802.1x credentials be passed seamlessly to the Ethernet switch. This is not a common feature. In fact, most of Cisco’s endpoints don’t do this. Instead, they use the phone as the only supplicant, and once authenticated, will allow any device connected behind it to pass through without a separate authentication. YIKES!!! The reason they do it this way is that many of the Cisco Switches (ie the playing the role of Authenticator) don’t even support multiple supplicants per port. Avaya’s network gear DOES (ie https://devconnect.avaya.com/public/download/interop/ERS8021x.pdf). The Avaya gear is able to keep track of separate 802.1x Supplicants (ie PC and IP Phone) connected to a single port. This is a big deal. To be truly secure in a Cisco environment, you need a separate port for the PC and for the IP Phone. You’ve just doubled the cost of your networking infrastructure. Avaya’s IP Phones actually have multiple Supplicant Pass-through modes. So, if needed, they can act more like a Cisco phone that will authenticate and then pass through the PC data without a second supplicant, simply to support those Cisco switches that don’t know how to do it.
Hopefully, I’ve given you some background and details to help you when you get sucked into a conversation about 802.1x. As a minimum you should know that Avaya’s IP Phones support it nicely. From there you should be able to talk to why Avaya does it better than the competition, both with the IP Phones and the Ethernet Switches. And as mentioned before, if your IT guy asks you about 802.1x, they’re just begging you to talk to them about Avaya’s Networking portfolio. So, do it!