Extreme Networks

Tomasz · ‎07-13-2021

Hello,

I’ve been recently thinking about the fact 802.1X is extremely cool for authentication, but alone it’s prone to MitM when authenticated MAC address is spoofed between the supplicant device and the switch port. Having physical (cabling, server room access) security and damage control (VLANs, port isolation, least privilege paradigm followed by switch port Policy and router ACLs) seems cool as a rule of thumb, but might also be needed to minimize potential attack vectors in case of MitM.

What are your thoughts or already known ideas to detect or mitigate MitM risk in dot1x-based access? I wonder if there are any ideas to implement per-packet auth (that would sound like performance impacting but...).

Cheers,
Tomasz

Stefan_K_ · ‎07-15-2021

What about MACsec?

Tomasz · ‎07-15-2021

Hi Stefan,

I’m not aware of 802.1X being capable to authenticate a packet. IMHO it would require to contain some key in each packet header to verify if the legitimate station is sending the packet. But in case of MitM, such key should rotate every packet. Otherwise it would be same easy to spoof.

Perhaps often reauths could at least disrupt some MitM movements. 🙂 I’m curious to know any other ideas on this, besides the fact that such risk is probably not relevant to majority of customers - there are so many easier entry points to break through…

Cheers,
Tomasz

Stefan_K_ · ‎07-13-2021

Glad I’m not the only one that wonders about these things. 🙂

Per Port Authentication - is this somehow implemented in the 802.1x standard? But yes, sounds very performance impacting.

Reducing the time period between 802.1x-reauths to very few minutes might be a possible solution to certain MitM scenarios?

Extreme Networks

Per-packet authentication or other 802.1X surroundings for paranoids

Per-packet authentication or other 802.1X surroundings for paranoids