Unit 3

1) IEEE 802.1X Port-Based Network Access Control

802.1X Authentication Overview
802.1X is a client-server authentication protocol that ensures only authorized users can connect to a
Local Area Network (LAN) through public access points. It prevents unauthorized clients from gaining
access. An authentication server checks each user's identity before granting them access to the
network services.
Why IEEE 802.1X is Important
LANs using IEEE 802 standards are often used in networks handling sensitive data, critical
applications, or paid services. Security is essential to prevent unauthorized access, service theft, or
data breaches.
Network Security and Access Control
Networks need proper management to control access. 802.1X helps in:
Regulating access to the network.
Preventing unauthorized data transmission and reception.
Protecting against network attacks, data theft, and service misuse.
How Port-Based Network Access Control Works
This standard allows administrators to secure LAN service access points (ports) to ensure only
authenticated devices communicate. It establishes security rules for communication and
authentication between connected devices.
Key Features of Port-Based Network Access Control
Uses MAC Service:
End devices or switches provide unsecured MAC services.
There are two types of ports:
Controlled Port – Provides secure communication.
Uncontrolled Port – Used for authentication before access is granted.

Mutual Authentication:
Devices that want to communicate must verify each other’s identity.
Uses Extensible Authentication Protocol (EAP) for authentication.

Secure Communication:
Uses MACsec Key Agreement (MKA) protocol to establish encryption.
Ensures confidentiality and integrity of transmitted data.

Roles of Network Devices in 802.1X Authentication

Each network device has a specific function:
Client (Supplicant): The device (like a workstation) requesting network access. It must have 802.1X-
compliant software.
Authenticator: Usually a switch, controls access to the network. It acts as a middleman between the
client and the authentication server. It asks for the client’s identity and verifies it with the
authentication server.
Authentication Server: Verifies the client’s credentials and tells the switch whether to allow or deny
access.
802.1X Network Access Control (NAC) Process
Initiation:
Either the switch (authenticator) or the client (supplicant) starts the session.
The client sends an EAP-response message, which the switch forwards to the authentication server.
Authentication:
The authentication server and the client exchange messages to confirm the client’s identity.
Authorization:
If authentication is successful, the server tells the switch to grant the client network access.
Accounting:
The RADIUS accounting system logs session details, including user identity, device information, and
session activities.
Termination:
The session ends when the user disconnects or the network administrator manually terminates it
using management tools.

2) Encapsulating Security Payload (ESP)

ESP is a security protocol in IPSec that provides confidentiality (encryption) for data and limited
traffic flow confidentiality (hiding data patterns). It also offers an optional authentication service for
verifying data integrity.

ESP Format

The structure of an ESP packet is shown in Fig. 3.5.1. It includes different fields to ensure secure
communication.
Field Name Size (Bits) Purpose
Security Parameter Identifies a security association (SA) using source and
32
Index (SPI) destination addresses.
Field Name Size (Bits) Purpose
Sequence Number 32 Prevents replay attacks by numbering each packet uniquely.
Contains encrypted data (transport layer segment in transport
Payload Data Variable
mode or entire IP packet in tunnel mode).
0–255
Padding Extra bits added for encryption or alignment.
bytes
Padding Length 8 Specifies the number of padding bytes used.
Next Header 8 Indicates the type of encapsulated data in the payload.
Stores integrity check values to verify the authenticity of the
Authentication Data Variable
packet.

Encryption and Authentication Algorithms

ESP encrypts the payload data, padding, padding length, and next header fields using different
encryption algorithms, such as:
1. Three-key Triple DES (3DES) – Uses three keys to encrypt data securely.
2. RC5 – A fast, customizable encryption algorithm.
3. IDEA – Strong encryption used in banking and security applications.
4. Three-key Triple IDEA – An enhanced version of IDEA with stronger encryption.
5. CAST – A block cipher used for encryption in security protocols.
6. Blowfish – A fast and secure encryption algorithm commonly used in VPNs.

Padding in ESP
The Padding Field is used for different purposes:
1. Encryption Requirements – Some encryption algorithms require the plain text to be a
multiple of a specific number of bytes. Padding helps achieve this.
2. Alignment of Cipher Text – Ensures the encrypted data is an integer multiple of 32-bits for
proper processing.
3. Traffic Flow Confidentiality – Adds extra padding to hide the actual payload length, making
it harder for attackers to analyze network traffic patterns