Supplicant (computer)

Last updated

In computer networking, a supplicant is an entity at one end of a point-to-point LAN segment that seeks to be authenticated by an authenticator attached to the other end of that link. The IEEE 802.1X standard [1] uses the term "supplicant" to refer to either hardware or software. In practice, a supplicant is a software application installed on an end-user's computer. The user invokes the supplicant and submits credentials to connect the computer to a secure network. If the authentication succeeds, the authenticator typically allows the computer to connect to the network.

Contents

IEEE 802.1x network-diagram example. The hub is optional; the supplicant can connect straight to the authenticator itself. In a hub or an unmanaged switch, the uplink port (the port to which the hub is connected) should be set in multi-session mode. IEEE 8021x Network Diagram Example.png
IEEE 802.1x network-diagram example. The hub is optional; the supplicant can connect straight to the authenticator itself. In a hub or an unmanaged switch, the uplink port (the port to which the hub is connected) should be set in multi-session mode.

A supplicant, in some contexts, refers to a user or to a client in a network environment seeking to access network resources secured by the IEEE 802.1X authentication mechanism. But saying "user" or "client" over-generalizes; in reality, the interaction takes place through a personal computer, an Internet Protocol (IP) phone, or similar network device. Each of these must run supplicant software that initiates or reacts to IEEE 802.1X authentication requests for association.

Overview

Businesses, campuses, governments and all other social entities across-the-board in need of security may resort to the use of IEEE 802.1X authentication to regulate users access to their corresponding network infrastructure. And to enable this, client devices need to meet supplicant definition in order to gain access. In businesses, for example, it is very common that employees will receive their new computer with all the necessary settings appropriately set for IEEE 802.1X authentication, in particular when connecting wirelessly to the network. [2]

Access

For a supplicant-capable device to gain access to the secured resources on a network, some preconditions should be observed and a context that will make this feasible. The network to which the supplicant needs to interact with must have a RADIUS Server (also known as an Authentication Server or an Authenticator), a Dynamic Host Configuration Protocol (DHCP) server if automatic IP address assignment is needed, and in certain configurations, an Active Directory domain controller. The domain controller is particularly needed in Microsoft environments when using Microsoft's Internet Authentication Service (IAS) or Network Policy Server (NPS) software to provide RADIUS services from the Authentication Server. [3]

Here is a list of authenticated users as displayed in Linksys LGS528P Switch. In this case, the LGS528P is acting as the Authenticator Authenticated list of Supplicants.png
Here is a list of authenticated users as displayed in Linksys LGS528P Switch. In this case, the LGS528P is acting as the Authenticator

Supplicant list

Supplicants include but are not limited to:

Mechanism

One aspect of reality a user needs to understand and, more likely comply with the network administrator is the use of user name and password, or a MAC address as the minimum that will be required for account setup.

On a Windows machine, taking an example of Windows 8, one should make sure to enable one's client to act as a supplicant by going to the Network Properties of the Network Interface Card (NIC), and from the Authentication tab, "Enable IEEE 802.1X authentication" need to be checked. Similar steps need to be taken on other network devices that provide support for IEEE 802.1X authentication. [5] This is the most important single step a user will need to make in order for one's network device to act as a supplicant.

This is a screenshot of the Network Interface Card properties window to enable or disable support for IEEE 802.1x authentication. Many other options can be adjusted as seen fit. Microsoft Windows 8 IEEE 802.1x Ethernet Properties window.png
This is a screenshot of the Network Interface Card properties window to enable or disable support for IEEE 802.1x authentication. Many other options can be adjusted as seen fit.

Notes

Note that IAS was being used up to Windows Server 2003; since then, it has been replaced by NPS on all subsequent Windows Server releases (2008, 2012...). IAS and NPS are not the only RADIUS Servers, some other include: FreeRADIUS, Cisco Secure Access Control System (ACS) Server...

Related Research Articles

<span class="mw-page-title-main">Wireless LAN</span> Computer network that links devices using wireless communication within a limited area

A wireless LAN (WLAN) is a wireless computer network that links two or more devices using wireless communication to form a local area network (LAN) within a limited area such as a home, school, computer laboratory, campus, or office building. This gives users the ability to move around within the area and remain connected to the network. Through a gateway, a WLAN can also provide a connection to the wider Internet.

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. It was later brought into IEEE 802 and IETF standards.

IEEE 802.1X is an IEEE Standard for port-based network access control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).

An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for transfer of authentication data between two entities. It allows the receiving entity to authenticate the connecting entity as well as authenticate itself to the connecting entity by declaring the type of information needed for authentication as well as syntax. It is the most important layer of protection needed for secure communication within computer networks.

IEEE 802.11r-2008 or fast BSS transition (FT), is an amendment to the IEEE 802.11 standard to permit continuous connectivity aboard wireless devices in motion, with fast and secure client transitions from one Basic Service Set to another performed in a nearly seamless manner. It was published on July 15, 2008. IEEE 802.11r-2008 was rolled up into 802.11-2012. The terms handoff and roaming are often used, although 802.11 transition is not a true handoff/roaming process in the cellular sense, where the process is coordinated by the base station and is generally uninterrupted.

The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel. The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided.

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.

Xsupplicant is a supplicant that allows a workstation to authenticate with a RADIUS server using 802.1X and the Extensible Authentication Protocol (EAP). It can be used for computers with wired or wireless LAN connections to complete a strong authentication before joining the network and supports the dynamic assignment of WEP keys.

<span class="mw-page-title-main">Wireless security</span> Aspect of wireless networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

Internet Authentication Service (IAS) is a component of Windows Server operating systems that provides centralized user authentication, authorization and accounting.

Network Admission Control (NAC) refers to Cisco's version of Network Access Control, which restricts access to the network based on identity or security posture. When a network device is configured for NAC, it can force user or machine authentication prior to granting access to the network. In addition, guest access can be granted to a quarantine area for remediation of any problems that may have caused authentication failure. This is enforced through an inline custom network device, changes to an existing switch or router, or a restricted DHCP class. A typical (non-free) WiFi connection is a form of NAC. The user must present some sort of credentials before being granted access to the network.

Network Access Protection (NAP) is a Microsoft technology for controlling network access of a computer, based on its health. It was first included in Windows Vista and Windows Server 2008 and backported to Windows XP Service Pack 3. With NAP, system administrators of an organization can define policies for system health requirements. Examples of system health requirements are whether the computer has the most recent operating system updates installed, whether the computer has the latest version of the anti-virus software signature, or whether the computer has a host-based firewall installed and enabled. Computers with a NAP client will have their health status evaluated upon establishing a network connection. NAP can restrict or deny network access to the computers that are not in compliance with the defined health requirements.

wpa_supplicant Open-source implementation of IEEE 802.11i

wpa_supplicant is a free software implementation of an IEEE 802.11i supplicant for Linux, FreeBSD, NetBSD, QNX, AROS, Microsoft Windows, Solaris, OS/2 and Haiku. In addition to being a WPA3 and WPA2 supplicant, it also implements WPA and older wireless LAN security protocols.

hostapd is a user space daemon software enabling a network interface card to act as an access point and authentication server. There are three implementations: Jouni Malinen's hostapd, OpenBSD's hostapd and Devicescape's hostapd.

Cisco NAC Appliance, formerly Cisco Clean Access (CCA), was a network admission control (NAC) system developed by Cisco Systems designed to produce a secure and clean computer network environment. Originally developed by Perfigo and marketed under the name of Perfigo SmartEnforcer, this network admission control device analyzes systems attempting to access the network and prevents vulnerable computers from joining the network. The system usually installs an application known as the Clean Access Agent on computers that will be connected to the network. This application, in conjunction with both a Clean Access server and a Clean Access Manager, has become common in many universities and corporate environments today. It is capable of managing wired or wireless networks in an in-band or out-of-band configuration mode, and Virtual Private networks (VPN) in an in-band only configuration mode.

AEGIS SecureConnect is the former name of a network authentication system used in IEEE 802.1X networks. It was developed by Meetinghouse Data Communications, Inc.; the system was renamed "Cisco Secure Services Client" when Meetinghouse was acquired by Cisco Systems. The AEGIS Protocol is an 802.1X supplicant, and is commonly installed along with a Network Interface Card's (NIC) or VPN drivers.

Network access control (NAC) is an approach to computer security that attempts to unify endpoint security technology, user or system authentication and network security enforcement.

A wireless configuration utility, wireless configuration tool, wireless LAN client, or wireless connection management utility is a class of network management software that manages the activities and features of a wireless network connection. It may control the process of selecting an available access point, authenticating and associating to it and setting up other parameters of the wireless connection.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

References

  1. "Get IEEE 802: Local And Metropolitan Area Network Standard" (PDF). Retrieved November 7, 2014.
  2. "802.1X Authenticated Wireless Access Overview" . Retrieved November 8, 2014.
  3. "How 802.1x authentication works" . Retrieved November 8, 2014.
  4. "WPA2-Enterprise and 802.1x Simplified" . Retrieved May 23, 2017.
  5. "To set up 802.1x authentication" . Retrieved November 7, 2014.

See also