IEEE 802.1X

Last updated

IEEE 802.1X is an IEEE Standard for port-based network access control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

Contents

The standard directly addresses an attack technique called Hardware Addition [1] where an attacker posing as a guest, customer or staff smuggles a hacking device into the building that they then plug into the network giving them full access. A notable example of the issue was in 2005 where a machine attached to Walmart's network hacked thousands of their servers [2]

IEEE 802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over wired IEEE 802 networks [3] and over 802.11 wireless networks, [4] which is known as "EAP over LAN" or EAPOL. [5] EAPOL was originally specified for IEEE 802.3 Ethernet, IEEE 802.5 Token Ring, and FDDI (ANSI X3T9.5/X3T12 and ISO 9314) in 802.1X-2001, [6] but was extended to suit other IEEE 802 LAN technologies such as IEEE 802.11 wireless in 802.1X-2004. [7] The EAPOL was also modified for use with IEEE 802.1AE ("MACsec") and IEEE 802.1AR (Secure Device Identity, DevID) in 802.1X-2010 [8] [9] to support service identification and optional point to point encryption over the internal LAN segment.

Overview

EAP data is first encapsulated in EAPOL frames between the Supplicant and Authenticator, then re-encapsulated between the Authenticator and the Authentication server using RADIUS or Diameter. 802.1X wired protocols.png
EAP data is first encapsulated in EAPOL frames between the Supplicant and Authenticator, then re-encapsulated between the Authenticator and the Authentication server using RADIUS or Diameter.

802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN. The term 'supplicant' is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The authenticator is a network device that provides a data link between the client and the network and can allow or block network traffic between the two, such as an Ethernet switch or wireless access point; and the authentication server is typically a trusted server that can receive and respond to requests for network access, and can tell the authenticator if the connection is to be allowed, and various settings that should apply to that client's connection or setting. Authentication servers typically run software supporting the RADIUS and EAP protocols. In some cases, the authentication server software may be running on the authenticator hardware.

The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant's identity has been validated and authorized. With 802.1X port-based authentication, the supplicant must initially provide the required credentials to the authenticator - these will have been specified in advance by the network administrator and could include a user name/password or a permitted digital certificate. The authenticator forwards these credentials to the authentication server to decide whether access is to be granted. If the authentication server determines the credentials are valid, it informs the authenticator, which in turn allows the supplicant (client device) to access resources located on the protected side of the network. [10]

Protocol operation

EAPOL operates over the data link layer, and in Ethernet II framing protocol has an EtherType value of 0x888E.

Port entities

802.1X-2001 defines two logical port entities for an authenticated port—the "controlled port" and the "uncontrolled port". The controlled port is manipulated by the 802.1X PAE (Port Access Entity) to allow (in the authorized state) or prevent (in the unauthorized state) network traffic ingress and egress to/from the controlled port. The uncontrolled port is used by the 802.1X PAE to transmit and receive EAPOL frames.

802.1X-2004 defines the equivalent port entities for the supplicant; so a supplicant implementing 802.1X-2004 may prevent higher-level protocols from being used if it is not content that authentication has successfully completed. This is particularly useful when an EAP method providing mutual authentication is used, as the supplicant can prevent data leakage when connected to an unauthorized network.

Typical authentication progression

The typical authentication procedure consists of:

Sequence diagram of the 802.1X progression 802-1X.png
Sequence diagram of the 802.1X progression
  1. Initialization On detection of a new supplicant, the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as the Internet Protocol (and with that TCP and UDP), is dropped.
  2. Initiation To initiate authentication the authenticator will periodically transmit EAP-Request Identity frames to a special Layer 2 address (01:80:C2:00:00:03) on the local network segment. The supplicant listens on this address, and on receipt of the EAP-Request Identity frame, it responds with an EAP-Response Identity frame containing an identifier for the supplicant such as a User ID. The authenticator then encapsulates this Identity response in a RADIUS Access-Request packet and forwards it on to the authentication server. The supplicant may also initiate or restart authentication by sending an EAPOL-Start frame to the authenticator, which will then reply with an EAP-Request Identity frame.
  3. Negotiation(Technically EAP negotiation) The authentication server sends a reply (encapsulated in a RADIUS Access-Challenge packet) to the authenticator, containing an EAP Request specifying the EAP Method (The type of EAP based authentication it wishes the supplicant to perform). The authenticator encapsulates the EAP Request in an EAPOL frame and transmits it to the supplicant. At this point, the supplicant can start using the requested EAP Method, or do a NAK ("Negative Acknowledgement") and respond with the EAP Methods it is willing to perform.
  4. Authentication If the authentication server and supplicant agree on an EAP Method, EAP Requests and Responses are sent between the supplicant and the authentication server (translated by the authenticator) until the authentication server responds with either an EAP-Success message (encapsulated in a RADIUS Access-Accept packet), or an EAP-Failure message (encapsulated in a RADIUS Access-Reject packet). If authentication is successful, the authenticator sets the port to the "authorized" state and normal traffic is allowed, if it is unsuccessful the port remains in the "unauthorized" state. When the supplicant logs off, it sends an EAPOL-logoff message to the authenticator, the authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.

Implementations

An open-source project named Open1X produces a client, Xsupplicant. This client is currently available for both Linux and Windows. The main drawbacks of the Open1X client are that it does not provide comprehensible and extensive user documentation and that most Linux vendors do not provide a package for it. The more general wpa_supplicant can be used for 802.11 wireless networks and wired networks. Both support a very wide range of EAP types. [11]

The iPhone and iPod Touch support 802.1X since the release of iOS 2.0. Android has support for 802.1X since the release of 1.6 Donut. ChromeOS has supported 802.1X since mid-2011. [12]

macOS has offered native support since 10.3. [13]

Avenda Systems provides a supplicant for Windows, Linux and macOS. They also have a plugin for the Microsoft NAP framework. [14] Avenda also offers health checking agents.

Windows

Windows defaults to not responding to 802.1X authentication requests for 20 minutes after a failed authentication. This can cause significant disruption to clients.

The block period can be configured using the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dot3svc\BlockTime [15] DWORD value (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wlansvc\BlockTime for wireless networks) in the registry (entered in minutes). A hotfix is required for Windows XP SP3 and Windows Vista SP2 to make the period configurable. [16]

Wildcard server certificates are not supported by EAPHost, the Windows component that provides EAP support in the operating system. [17] The implication of this is that when using a commercial certification authority, individual certificates must be purchased.

Windows XP

Windows XP has major issues with its handling of IP address changes resulting from user-based 802.1X authentication that changes the VLAN and thus subnet of clients. [18] Microsoft has stated that it will not backport the SSO feature from Vista that resolves these issues. [19]

If users are not logging in with roaming profiles, a hotfix must be downloaded and installed if authenticating via PEAP with PEAP-MSCHAPv2. [20]

Windows Vista

Windows Vista-based computers that are connected via an IP phone may not authenticate as expected and, as a result, the client can be placed into the wrong VLAN. A hotfix is available to correct this. [21]

Windows 7

Windows 7 based computers that are connected via an IP phone may not authenticate as expected and, consequently, the client can be placed into the wrong VLAN. A hotfix is available to correct this. [21]

Windows 7 does not respond to 802.1X authentication requests after initial 802.1X authentication fails. This can cause significant disruption to clients. A hotfix is available to correct this. [22]

Windows PE

For most enterprises deploying and rolling out operating systems remotely, it is worth noting that Windows PE does not have native support for 802.1X. However, support can be added to WinPE 2.1 [23] and WinPE 3.0 [24] through hotfixes that are available from Microsoft. Although full documentation is not yet available, preliminary documentation for the use of these hotfixes is available via a Microsoft blog. [25]

Linux

Most Linux distributions support 802.1X via wpa_supplicant and desktop integration like NetworkManager.

Apple devices

As of iOS 17 and macOS 14, Apple devices support connecting to 802.1X networks using EAP-TLS with TLS 1.3 (EAP-TLS 1.3). Additionally, devices running iOS/iPadOS/tvOS 17 or later support wired 802.1X networks. [26] [27]

Federations

eduroam (the international roaming service), mandates the use of 802.1X authentication when providing network access to guests visiting from other eduroam-enabled institutions. [28]

BT (British Telecom, PLC) employs Identity Federation for authentication in services delivered to a wide variety of industries and governments. [29]

Proprietary extensions

MAB (MAC Authentication Bypass)

Not all devices support 802.1X authentication. Examples include network printers, Ethernet-based electronics like environmental sensors, cameras, and wireless phones. For those devices to be used in a protected network environment, alternative mechanisms must be provided to authenticate them.

One option would be to disable 802.1X on that port, but that leaves that port unprotected and open for abuse. Another, slightly more reliable option is to use the MAB option. When MAB is configured on a port, that port will first try to check if the connected device is 802.1X compliant, and if no reaction is received from the connected device, it will try to authenticate with the AAA server using the connected device's MAC address as username and password. The network administrator then must make provisions on the RADIUS server to authenticate those MAC-addresses, either by adding them as regular users or implementing additional logic to resolve them in a network inventory database.

Many managed Ethernet switches [30] offer options for this.

Vulnerabilities in 802.1X-2001 and 802.1X-2004

Shared media

In the summer of 2005, Microsoft's Steve Riley posted an article (based on the original research of Microsoft MVP Svyatoslav Pidgorny) detailing a serious vulnerability in the 802.1X protocol, involving a man in the middle attack. In summary, the flaw stems from the fact that 802.1X authenticates only at the beginning of the connection, but after that authentication, it's possible for an attacker to use the authenticated port if they have the ability to physically insert themselves (perhaps using a workgroup hub) between the authenticated computer and the port. Riley suggests that for wired networks the use of IPsec or a combination of IPsec and 802.1X would be more secure. [31]

EAPOL-Logoff frames transmitted by the 802.1X supplicant are sent in the clear and contain no data derived from the credential exchange that initially authenticated the client. [32] They are therefore trivially easy to spoof on shared media and can be used as part of a targeted DoS on both wired and wireless LANs. In an EAPOL-Logoff attack a malicious third party, with access to the medium the authenticator is attached to, repeatedly sends forged EAPOL-Logoff frames from the target device's MAC Address. The authenticator (believing that the targeted device wishes to end its authentication session) closes the target's authentication session, blocking traffic ingressing from the target, denying it access to the network.

The 802.1X-2010 specification, which began as 802.1af, addresses vulnerabilities in previous 802.1X specifications, by using MACsec IEEE 802.1AE to encrypt data between logical ports (running on top of a physical port) and IEEE 802.1AR (Secure Device Identity / DevID) authenticated devices. [8] [9] [33] [34]

As a stopgap, until these enhancements are widely implemented, some vendors have extended the 802.1X-2001 and 802.1X-2004 protocol, allowing multiple concurrent authentication sessions to occur on a single port. While this prevents traffic from devices with unauthenticated MAC addresses ingressing on an 802.1X authenticated port, it will not stop a malicious device snooping on traffic from an authenticated device and provides no protection against MAC spoofing, or EAPOL-Logoff attacks.

Alternatives

The IETF-backed alternative is the Protocol for Carrying Authentication for Network Access (PANA), which also carries EAP, although it works at layer 3, using UDP, thus not being tied to the 802 infrastructure. [35]

See also

Related Research Articles

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. It was later brought into IEEE 802 and IETF standards.

<span class="mw-page-title-main">Server Message Block</span> Network communication protocol for providing shared access to resources

Server Message Block (SMB) is a communication protocol used to share files, printers, serial ports, and miscellaneous communications between nodes on a network. On Microsoft Windows, the SMB implementation consists of two vaguely named Windows services: "Server" and "Workstation". It uses NTLM or Kerberos protocols for user authentication. It also provides an authenticated inter-process communication (IPC) mechanism.

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).

An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for transfer of authentication data between two entities. It allows the receiving entity to authenticate the connecting entity as well as authenticate itself to the connecting entity by declaring the type of information needed for authentication as well as syntax. It is the most important layer of protection needed for secure communication within computer networks.

IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks, replacing the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, the amendment deprecated broken Wired Equivalent Privacy (WEP), while it was later incorporated into the published IEEE 802.11-2007 standard.

IEEE 802.11r-2008 or fast BSS transition (FT), is an amendment to the IEEE 802.11 standard to permit continuous connectivity aboard wireless devices in motion, with fast and secure client transitions from one Basic Service Set to another performed in a nearly seamless manner. It was published on July 15, 2008. IEEE 802.11r-2008 was rolled up into 802.11-2012. The terms handoff and roaming are often used, although 802.11 transition is not a true handoff/roaming process in the cellular sense, where the process is coordinated by the base station and is generally uninterrupted.

The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel. The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided.

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.

Xsupplicant is a supplicant that allows a workstation to authenticate with a RADIUS server using 802.1X and the Extensible Authentication Protocol (EAP). It can be used for computers with wired or wireless LAN connections to complete a strong authentication before joining the network and supports the dynamic assignment of WEP keys.

<span class="mw-page-title-main">Wireless security</span> Aspect of wireless networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

IEEE 802.11u-2011 is an amendment to the IEEE 802.11-2007 standard to add features that improve interworking with external networks.

IEEE 802.11w-2009 is an approved amendment to the IEEE 802.11 standard to increase the security of its management frames.

Internet Authentication Service (IAS) is a component of Windows Server operating systems that provides centralized user authentication, authorization and accounting.

Network Admission Control (NAC) refers to Cisco's version of Network Access Control, which restricts access to the network based on identity or security posture. When a network device is configured for NAC, it can force user or machine authentication prior to granting access to the network. In addition, guest access can be granted to a quarantine area for remediation of any problems that may have caused authentication failure. This is enforced through an inline custom network device, changes to an existing switch or router, or a restricted DHCP class. A typical (non-free) WiFi connection is a form of NAC. The user must present some sort of credentials before being granted access to the network.

wpa_supplicant Open-source implementation of IEEE 802.11i

wpa_supplicant is a free software implementation of an IEEE 802.11i supplicant for Linux, FreeBSD, NetBSD, QNX, AROS, Microsoft Windows, Solaris, OS/2 and Haiku. In addition to being a WPA3 and WPA2 supplicant, it also implements WPA and older wireless LAN security protocols.

<span class="mw-page-title-main">Supplicant (computer)</span> Part of IEEE 802.1X standard

In computer networking, a supplicant is an entity at one end of a point-to-point LAN segment that seeks to be authenticated by an authenticator attached to the other end of that link. The IEEE 802.1X standard uses the term "supplicant" to refer to either hardware or software. In practice, a supplicant is a software application installed on an end-user's computer. The user invokes the supplicant and submits credentials to connect the computer to a secure network. If the authentication succeeds, the authenticator typically allows the computer to connect to the network.

hostapd is a user space daemon software enabling a network interface card to act as an access point and authentication server. There are three implementations: Jouni Malinen's hostapd, OpenBSD's hostapd and Devicescape's hostapd.

AEGIS SecureConnect is the former name of a network authentication system used in IEEE 802.1X networks. It was developed by Meetinghouse Data Communications, Inc.; the system was renamed "Cisco Secure Services Client" when Meetinghouse was acquired by Cisco Systems. The AEGIS Protocol is an 802.1X supplicant, and is commonly installed along with a Network Interface Card's (NIC) or VPN drivers.

Network access control (NAC) is an approach to computer security that attempts to unify endpoint security technology, user or system authentication and network security enforcement.

In computing, Microsoft's Windows Vista and Windows Server 2008 introduced in 2007/2008 a new networking stack named Next Generation TCP/IP stack, to improve on the previous stack in several ways. The stack includes native implementation of IPv6, as well as a complete overhaul of IPv4. The new TCP/IP stack uses a new method to store configuration settings that enables more dynamic control and does not require a computer restart after a change in settings. The new stack, implemented as a dual-stack model, depends on a strong host-model and features an infrastructure to enable more modular components that one can dynamically insert and remove.

References

  1. "Hardware Additions, Technique T1200". attack.mitre.org. 2018-04-18. Retrieved 2024-04-10.
  2. Zetter, Kim. "Big-Box Breach: The Inside Story of Wal-Mart's Hacker Attack". Wired. ISSN   1059-1028 . Retrieved 2024-02-07.
  3. "EAP Usage Within IEEE 802". Extensible Authentication Protocol (EAP). sec. 3.3. doi: 10.17487/RFC3748 . RFC 3748.
  4. "Link Layer". Extensible Authentication Protocol (EAP). sec. 7.12. doi: 10.17487/RFC3748 . RFC 3748.
  5. IEEE 802.1X-2001, § 7
  6. IEEE 802.1X-2001, § 7.1 and 7.2
  7. IEEE 802.1X-2004, § 7.6.4
  8. 1 2 IEEE 802.1X-2010, page iv
  9. 1 2 IEEE 802.1X-2010, § 5
  10. "802.1X Port-Based Authentication Concepts". Archived from the original on 2012-10-14. Retrieved 2008-07-30.
  11. "eap_testing.txt from wpa_supplicant" . Retrieved 2010-02-10.
  12. Sheth, Rajen (August 10, 2011). "The computer that keeps getting better". Google Cloud Official Blog. Retrieved 2022-07-02.
  13. Negrino, Tom; Smith, Dori (2003). Mac OS X Unwired: A Guide for Home, Office, and the Road. O'Reilly Media. p. 19. ISBN   978-0596005085 . Retrieved 2022-07-02.
  14. "NAP clients for Linux and Macintosh are available". Network Access Protection (NAP) team blog. 2008-12-16.
  15. "20 minute delay deploying Windows 7 on 802.1x? Fix it here!". Dude where's my PFE? blog. 2013-01-24.
  16. "A Windows XP-based, Windows Vista-based or Windows Server 2008-based computer does not respond to 802.1X authentication requests for 20 minutes after a failed authentication". Microsoft Support. 2009-09-17. Retrieved 2022-07-03.
  17. "EAPHost in Windows Vista and Longhorn (January 18, 2006)". Microsoft Docs. 2007-01-18. Retrieved 2022-07-03.
  18. "You experience problems when you try to obtain Group Policy objects, roaming profiles, and logon scripts from a Windows Server 2003-based domain controller". Microsoft Support. 2007-09-14. Archived from the original on 2008-04-22. Retrieved 2010-02-10.
  19. "802.1x with dynamic vlan switching - Problems with Roaming Profiles". Microsoft TechNet Forums. Archived from the original on 2011-08-24. Retrieved 2010-02-10. With Vista, this is not a problem at all with the SSO feature, however, this feature does not exist in XP and unfortunately, we do not have any plans to backport this feature to XP as it is just too complex a change.
  20. "A Windows XP Service Pack 3-based client computer cannot use the IEEE 802.1X authentication when you use PEAP with PEAP-MSCHAPv2 in a domain". Microsoft support. 2009-04-23. Archived from the original on 2010-03-16. Retrieved 2010-03-23.
  21. 1 2 "A computer that is connected to an IEEE 802.1X authenticated network through a VOIP phone does not connect to the correct network after you resume it from Hibernate mode or Sleep mode". Microsoft Support. 2010-02-08. Retrieved 2022-07-03.
  22. "No response to 802.1X authentication requests after authentication fails on a computer that is running Windows 7 or Windows Server 2008 R2". Microsoft Support. 2010-03-08. Archived from the original on 2010-11-14. Retrieved 2010-03-23.
  23. "Windows PE 2.1 does not support the IEEE 802.1X authentication protocol". Microsoft Support. 2009-12-08. Archived from the original on 2010-03-05. Retrieved 2010-02-10.
  24. "The IEEE 802.1X authentication protocol is not supported in Windows Preinstall Environment (PE) 3.0". Microsoft Support. 2009-12-08. Retrieved 2022-07-03.
  25. "Adding Support for 802.1X to WinPE". The Deployment Guys blog. 2010-03-02. Archived from the original on 2011-06-17. Retrieved 2010-03-03.
  26. "iOS 17 beta 4 developer release notes". Apple Developer. 2023-07-25. Retrieved 2023-07-25.
  27. "macOS 14 beta 4 developer release notes". Apple Developer. 2023-07-25. Retrieved 2023-07-25.
  28. "How does eduroam work?". eduroam . Retrieved 2022-07-03.
  29. "BT Identity and Access Management" (PDF). Archived from the original (PDF) on 2011-06-13. Retrieved 2010-08-17.
  30. "Dell PowerConnect 6200 series CLI Guide" (PDF). p. 622, Revision: A06-March 2011. Archived from the original (PDF) on 2012-11-18. Retrieved 26 January 2013.
  31. Riley, Steve (2005-08-09). "Mitigating the Threats of Rogue Machines—802.1X or IPsec?". Microsoft Docs. Retrieved 2022-07-03.
  32. IEEE 802.1X-2001, § 7.1
  33. "2 February 2010 Early Consideration Approvals". Standards.ieee.org. Archived from the original on 2010-07-06. Retrieved 2010-02-10.
  34. "IEEE 802.1: 802.1X-2010 - Revision of 802.1X-2004". Ieee802.org. 2010-01-21. Archived from the original on 2010-03-04. Retrieved 2010-02-10.
  35. Philip Golden; Hervé Dedieu; Krista S. Jacobsen (2007). Implementation and Applications of DSL Technology. Taylor & Francis. pp. 483–484. ISBN   978-1-4200-1307-8.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.