1
00:00:01,496 --> 00:00:02,329
<v ->802.1x.</v>

2
00:00:03,412 --> 00:00:05,880
802.1x is a standardized framework

3
00:00:05,880 --> 00:00:07,680
that's used for port-based authentication

4
00:00:07,680 --> 00:00:10,280
on both wired and wireless networks.

5
00:00:10,280 --> 00:00:13,420
Now, since 802.1x is just the framework,

6
00:00:13,420 --> 00:00:15,470
it's actually going to utilize other mechanisms

7
00:00:15,470 --> 00:00:17,840
to do the real authentication for us.

8
00:00:17,840 --> 00:00:20,120
For example, both the remote authentication

9
00:00:20,120 --> 00:00:22,410
dialing user service, known as RADIUS,

10
00:00:22,410 --> 00:00:24,130
and the terminal access controller

11
00:00:24,130 --> 00:00:27,130
access control system plus, or TACACS+,

12
00:00:27,130 --> 00:00:29,630
can both be utilized to conduct the authentication,

13
00:00:29,630 --> 00:00:32,340
using the 802.1x protocol.

14
00:00:32,340 --> 00:00:34,050
There are three roles that are required

15
00:00:34,050 --> 00:00:37,550
for an authentication to occur under 802.1x.

16
00:00:37,550 --> 00:00:39,180
The first is the supplicant,

17
00:00:39,180 --> 00:00:41,490
which is the device or user that's requesting access

18
00:00:41,490 --> 00:00:44,640
to the network, such as PC1 in this image.

19
00:00:44,640 --> 00:00:46,320
Then, there's an authenticator,

20
00:00:46,320 --> 00:00:48,140
which is the device through which the supplicant

21
00:00:48,140 --> 00:00:50,010
is attempting to access the network.

22
00:00:50,010 --> 00:00:52,250
Normally, this is going to be something like a switch,

23
00:00:52,250 --> 00:00:55,480
a wireless access point, or a VPN concentrator.

24
00:00:55,480 --> 00:00:57,860
Finally, there's the authentication server,

25
00:00:57,860 --> 00:00:59,410
which is going to be the centralized device

26
00:00:59,410 --> 00:01:00,990
that performs the authentication,

27
00:01:00,990 --> 00:01:02,590
which is usually going to be your RADIUS

28
00:01:02,590 --> 00:01:04,560
or your TACACS+ server.

29
00:01:04,560 --> 00:01:06,700
Now, 802.1x is certainly something

30
00:01:06,700 --> 00:01:08,950
that should be considered in your network architecture

31
00:01:08,950 --> 00:01:10,810
as it's considered one of the best protections

32
00:01:10,810 --> 00:01:13,120
that you can add to your internal network connectivity

33
00:01:13,120 --> 00:01:15,190
to prevent rogue devices from gaining access

34
00:01:15,190 --> 00:01:17,727
to your organization's devices and connections.

35
00:01:17,727 --> 00:01:20,130
802.1x also allows for us

36
00:01:20,130 --> 00:01:23,110
to encapsulate the extensible authentication protocol,

37
00:01:23,110 --> 00:01:27,100
or EAP, when we're using a wired or wireless connection.

38
00:01:27,100 --> 00:01:29,830
EAP is actually not a single protocol by itself,

39
00:01:29,830 --> 00:01:32,200
but a framework in a series of protocol

40
00:01:32,200 --> 00:01:34,020
that allows for numerous different mechanisms

41
00:01:34,020 --> 00:01:37,030
of authentication, including things like simple passwords,

42
00:01:37,030 --> 00:01:40,150
digital certificates, and public key infrastructure.

43
00:01:40,150 --> 00:01:43,330
EAP-MD5 is a variant of the EAP

44
00:01:43,330 --> 00:01:45,050
and it utilizes simple passwords

45
00:01:45,050 --> 00:01:47,800
and the challenge handshake authentication process

46
00:01:47,800 --> 00:01:50,180
to provide remote access authentication.

47
00:01:50,180 --> 00:01:51,870
If you're using this method, you have

48
00:01:51,870 --> 00:01:53,760
to ensure that you're using long, strong,

49
00:01:53,760 --> 00:01:55,660
and complex passwords in order for you

50
00:01:55,660 --> 00:01:57,920
to maintain the security of your system.

51
00:01:57,920 --> 00:02:01,200
EAP-MD5 is a one-way authentication process

52
00:02:01,200 --> 00:02:03,733
and it's not going to provide mutual authentication.

53
00:02:04,702 --> 00:02:07,320
EAP-TLS is a form of EAP

54
00:02:07,320 --> 00:02:09,240
that's going to use public key infrastructure,

55
00:02:09,240 --> 00:02:11,240
with a digital certificate being installed

56
00:02:11,240 --> 00:02:13,310
on both the client and the server,

57
00:02:13,310 --> 00:02:15,250
as the method of authentication.

58
00:02:15,250 --> 00:02:17,550
This makes it immune to password-based attacks,

59
00:02:17,550 --> 00:02:19,680
since neither side is going to use a password

60
00:02:19,680 --> 00:02:21,680
and instead, they're going to use digital certificates

61
00:02:21,680 --> 00:02:23,410
to identify themself.

62
00:02:23,410 --> 00:02:25,650
This is considered a form of mutual authentication

63
00:02:25,650 --> 00:02:28,170
between both devices, the client, and the server,

64
00:02:28,170 --> 00:02:31,260
because each one is going to authenticate with the other.

65
00:02:31,260 --> 00:02:34,950
Another variant of this is called EAP-TTLS.

66
00:02:34,950 --> 00:02:36,830
This form is going to require a digital certificate

67
00:02:36,830 --> 00:02:39,210
on the server, but not on the client.

68
00:02:39,210 --> 00:02:41,200
Instead, the client is going to use a password

69
00:02:41,200 --> 00:02:42,610
for its authentication.

70
00:02:42,610 --> 00:02:46,170
This makes it more secure than the traditional EAP-MD5,

71
00:02:46,170 --> 00:02:47,770
which just uses passwords,

72
00:02:47,770 --> 00:02:50,580
but it is less secure than the EAP-TLS

73
00:02:50,580 --> 00:02:53,130
because that one removes the password vulnerability

74
00:02:53,130 --> 00:02:55,580
by using two-digit certificates.

75
00:02:55,580 --> 00:02:59,100
Now, EAP-FAST, or EAP flexible authentication

76
00:02:59,100 --> 00:03:02,270
via secure tunneling, is our fourth variant of EAP.

77
00:03:02,270 --> 00:03:04,450
And this is going to use a protected access credential,

78
00:03:04,450 --> 00:03:05,770
instead of a certificate,

79
00:03:05,770 --> 00:03:09,150
to establish that mutual authentication between devices.

80
00:03:09,150 --> 00:03:12,430
The fifth and final type of EAP is called PEAP,

81
00:03:12,430 --> 00:03:14,230
or protected EAP.

82
00:03:14,230 --> 00:03:16,940
This variant also supports mutual authentication

83
00:03:16,940 --> 00:03:18,320
by using server certificates

84
00:03:18,320 --> 00:03:20,860
and the Microsoft Active Directory databases

85
00:03:20,860 --> 00:03:23,550
for it to authenticate a password from the client.

86
00:03:23,550 --> 00:03:25,930
Now, in addition to all these cross platform variants

87
00:03:25,930 --> 00:03:29,320
of EAP, there's also a proprietary protocol from Cisco,

88
00:03:29,320 --> 00:03:32,130
called LEAP, or the lightweight EAP.

89
00:03:32,130 --> 00:03:34,260
But, for you to be able to use this in your organization,

90
00:03:34,260 --> 00:03:36,450
you have to be running a Cisco-based network

91
00:03:36,450 --> 00:03:38,630
and all of your clients have to support it.

92
00:03:38,630 --> 00:03:40,140
For this reason, most of the time,

93
00:03:40,140 --> 00:03:42,350
I just use standard EAP in my networks

94
00:03:42,350 --> 00:03:44,573
and not using the Cisco proprietary one.