Intro to Networking - AAA, 802.1X, EAP & RADIUS
Background to AAA
Authentication, Authorization, and Accounting (AAA) is a primary requirement for most managed networks in the Service Provider and Enterprise settings. For example, in the Enterprise, users may connect their Client devices to AAA-ready, UniFi Access Points connected to the Hospital's Enterprise LAN/WAN with different access needs:
- IT (for managing network equipment),
- Hospital Personnel (for patient care/monitoring services),
- Hospital Administrators (for patient billing/record maintenance),
- and, Guests (for web browsing).
As another example, Internet Service Providers frequently rely on AAA to manage their Internet customers ('subscribers'), by means of PPPoE-configured Customer Premise Equipment (e.g., airMAX-ac radios), which are authenticated by the ISP's Remote Access Dial-In User Service (RADIUS) Server for authorized Internet access (including accounting controls).
AAA therefore defines the framework by which users are authenticated into networks, with authorization to access particular services, while also accounting for their network activity. As it relates to the context of this article:
- Authentication means allowing users to join and access the network.
- Authorization means granting user access to particular services / network areas.
- Accounting means tracking user activity on the network.
What is 802.1X?
To begin, 802 refers to the IEEE standards for networking protocols. While 802.11 refers to wireless LAN protocols and standards, 802.1 refers to general concepts relating to LANs/WANs, including security, bridging, and more. Therefore, “802.1X” (not 802.11X) falls under the IEEE standards for LANs.
Specifically, 802.1X defines Port-Based Network Access Control, a security concept permitting device(s) to authenticate to the network using an encapsulation protocol known as Extensible Authentication Protocol (EAP). While many variants of EAP exist (ex., EAP-TLS, EAP-MSCHAPv2), EAP defines the format for messages sent between three parties:
- Supplicant, or the device requiring authentication.
- Authenticator, or the device responsible for initiating the process by which the Supplicant is authenticated.
- Authentication Server, is the device that authenticates the Supplicant.
Figure A - Example devices involved in 802.1X framework for AAA controls in secure, Enterprise-grade networks. |
The Supplicant authentication data (EAP) is encapsulated first where at the Authenticator, the data is re-encapsulated using another protocol such as RADIUS to determine the validity of the Supplicant’s provided credentials against the Authentication Server.
Note - Using WPA-Enterprise Security, UniFi APs can be configured as Authenticators within the 802.1X framework.
Figure B - Choose WPA-Enterprise for AAA with UniFi Wireless LANs. |
Figure C - Configure RADIUS Profiles in the UniFi Network application to set up UniFi APs as 802.1X Authenticators. |
What is RADIUS?
The Remote Authentication Dial-In User Service (RADIUS) is an AAA protocol that uses UDP Port 1812 to establish connections. Enterprise networks and ISPs often install RADIUS software (e.g., FreeRADIUS) on a server machine to act as the Authentication Server.
As of v5.6.x, the UniFi Security Gateway supports a built-in RADIUS Server, as well as configured RADIUS Users for local authentication.
For integration with external authentication databases, such as MySQL, LDAP, Active Directory, and more, Ubiquiti recommends FreeRADIUS (free RADIUS software that can run on any server-based OS).
Figure D - Create a RADIUS Server in the UniFi Network application for Enterprise AAA. |
Figure E - Add Users to the UniFi Network application for RADIUS-based authentication. |
802.1X Authentication End-to-End
For reference, let’s examine the Client-Server process by which a Supplicant authenticates with the Authentication Server by means of the Authenticator. In this example, we’ll look a wireless client (e.g., Laptop) that connects to a UniFi AP broadcasting a WPA-Enterprise WLAN, before being authenticated at the RADIUS Server running on the UniFi Security Gateway.
Because the Supplicant and Authentication Server technically use separate protocols for 802.1X authentication (EAP and RADIUS, respectively), it can help to consider the Authenticator as a trusted middle-man who translates messages between Client and Server via encapsulation.
Figure F - End-to-end process shown for 802.1X, an authentication framework defining Port-Based Network Access Control. |