Why 802.1X Authentication is a Pain
When the 802.1X authentication standard was first introduced, it was clear that it was specifically designed for wired network environments. However, as wireless networks have become the go-to connectivity mechanism in recent years, systems admins and support engineers alike shun 802.1X authentication due to its complexity of deployment, inability to authenticate devices in various geo-locations, and requirement of agents.
What are the Pain Points?
Deployment of 802.1X is complex, if not impossible in some (mainly wireless) network environments, because it requires support from on-premise authentication servers such as RADIUS and Active Directory. If these servers are not present in the organization, which is true for many SMBs, the cost of acquiring them, paired with the cost and time it takes to deploy the authentication protocol makes it so that CISOs/CSOs often shy away from 802.1X. 802.1X requires that agents be installed on all network devices to enable effective control. This step can be tiresome, if not impossible in a globally distributed organization, creating another roadblock in 802.1X deployment. In addition, it seemingly contradicts the ease and agility of access required by mobile BYOD devices in the enterprise, causing many network security professionals to discount 802.1X as an effective solution for wireless networks.
Another major pain point is that 802.1X has limited capabilities. For instance, it only authenticates devices looking to connect to the corporate network, failing to provide security coverage in any stage after a successful connection. For instance, with 802.1X, a valid and authenticated printer with 802.1X supplicant can access the corporate network and do as it pleases, when it pleases, and with whichever organizational resources it deems useful. 802.1X can give devices a ‘free pass’ onto the network that may be difficult to control without the appropriate network access control or device management solutions in place. In effect, it minimizes the issue of accountability to zero.
Why You Might Reconsider 802.1X
Deployment and accountability aside, 802.1X remains the one of the best ways to authenticate devices because of its continuous and direct communication with the authenticating servers, as opposed to pre/post scanners or other less secure authentication methods.
In addition, it allows for ease of management, unlike other authentication methods that use pre-shared keys (PSKs), which can be difficult to control and may even result in data loss. 802.1X depends on certificates (WEP) and/or user credentials to grant access. These certificates/credentials can be effectively managed from the server, while also using existing backend infrastructure, which, in turn, simplifies implementation and policy administration.
Furthermore, once implemented, 802.1X is relatively easy to manage and use. If installed correctly, the only thing that it requires of users is that they enter their user credentials when prompted to do so. The prompt is only issued once, unless credentials or access roles are altered. 802.1X also enables full end-to-end provisioning, for automated deployment, and streamlined management of tasks.
Of course, it’s important to remember that, because it is based on set protocols and a verified standard, 802.1X is one of the most secure ways to authenticate devices connecting to the network. While other authentication methods may indeed somewhat simplify the implementation and management, there are hardly any solutions that can match the security and strength of 802.1X authentication on both wired and wireless networks.
Implementation Issues Solved with 802.1X as a Cloud Service
When deploying 802.1X as a cloud service, complaints about implementation woes and limited capabilities are no longer relevant. When offered according to this model, there is no need for physical deployment or network hardware (unless it already exists, such as RADIUS or Active Directory server), which significantly cuts the costs and deployment time previously associated with the authentication protocol. In addition, it allows for secure remote access for the geo-distributed workforce, without the need for local appliance deployments. A cloud-based solution for 802.1X also enables business continuity, making it so that if appliances go off line at the headquarters, remote branches and home offices can continue accessing.
Indeed, the cloud model might be a new start for 802.1X authentication in the enterprise, as it could help solve key security issues with the ease and efficiency of a cloud service.