See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/331385711

Analysis and Implementation of the Authentication Protocol 802.1x

Article  in  International Journal of Computer Applications · February 2014

CITATIONS READS

0 326

2 authors, including:

Harith Ghanim Ayoub

Northern Technical University
3 PUBLICATIONS   0 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Wireless attack using EAPoL handshaking View project

GPS antenna View project

All content following this page was uploaded by Harith Ghanim Ayoub on 27 February 2019.

The user has requested enhancement of the downloaded file.

 International Journal of Computer Applications (0975 – 8887)
Volume 87 – No.4, February 2014

Analysis and Implementation of the Authentication

Protocol 802.1x
A. I. A. Jabbar, Ph.D Harith G. A.
Assistant Professor M.Sc. Student
Department of Electrical Engineering Department of Electrical Engineering
Mosul University Mosul University

ABSTRACT systems like the popular MySQL, MsSQL, and many others
The security of wireless networks against hacker attacks [10].
depends on some parameters and special configurations. Practically, windows 7 and Android operating systems are
Authentication is considered as one of the most important provided with the necessary software’s to authenticate
security parameter in computer networks [1]. The subscribers using 802.1x protocol. Conventionally, if the
communication for example between users through the authentication server is installed on the desktop (stationary
internet must be authenticated by both sides in order to server) then it is possible to authenticate users within pure
prevent hackers from pretending any one of them [2]. computer networks or within a mixed (mobile & laptop)
Authentication process has the function to allow or prevent network reliably. Installing the Android sever software in
users from accessing the wireless network like IEEE 802.11b portable laptop may suffer from some difficulties because of
or 802.11g, it can be applied also to wired networks [3]. its variable position, this may cause the portable server to be a
IEEE 802.1X [4] is the famous standard which uses hidden terminal to the other users leading to a failing
Extensible Authentication Protocol (EAP) to authenticate authentication process. In this paper, a pure mobile network is
users before giving them access to the network [5]. The designed and implemented practically showing the successful
process of authentication is extended to include RADIUS and failing authentication processes.
protocol which is designed to authenticate remote users within
special organizations, then upgraded to include most of the
2. THE PROPOSED MOBILE
operating systems and computer networks. It is now the most NETWORK
famous and applicable protocol for authenticating remote The mobile network shown in Figure 1 is designed according
users [6]. to the following assumptions: -
Recently, the operating system Android has dominated other 1. The number of mobiles is equal to 8.
operating systems, it is based on Linux core and has the
2. The protocol of authentication provided by Android is
capability to support 802.1x and other security protocols [7].
installed on a portable laptop.
In this paper, 802.1x protocol is applied to authenticate users
using windows 7 and Android operating systems, a 3. The area of the network is equal to 100m2.
comparison to show the main differences between them is
introduced successfully in mixed (computer & mobiles) 4. The hidden terminal problem may be existed according
network. to the positions of the mobiles with respect to the
obstacles within the area. Figure 1 shows a possible
Keywords subscriber distribution within the proposed network.
IEEE 802.1x, EAP, RADIUS, Ubuntu, PEAP, MS-CHAPv2, 5. The supporting protocols associated with 802.1x protocol
ANDROID, IOS, Windows 7 are Protected EAP (PEAP) and MS-CHAPv2.
1. INTRODUCTION 6. Samsung Galaxy, iPhones and laptops are the types of
The first element of the IEEE 802.1X protocol is the mobiles being used with the operating systems Android,
supplicant, which is the device that wants to join the computer
network. The second element is the authenticator, which is the
device or controller that controls access to the network. The
third element is the authentication server [8].
It is worth to mention that the Security Protocol IEEE 802.1X
can be obtained by installing FreeRADIUS (the most widely
deployed RADIUS server in the world) onto the free
operating system Ubuntu server [9].
The rapid deployment of 802.1x in the internet applications
generates what is called daloRADIUS which is an advanced
RADIUS web platform. It provides efficient user
management, accounting, graphical reporting, and can be
integrated with Google Maps for geo-locating (GIS).
daloRADIUS can be written either in PHP or in JavaScript, It
is based on a FreeRADIUS and can support many database

Fig 1: 802.1X Network 40

 International Journal of Computer Applications (0975 – 8887)
Volume 87 – No.4, February 2014

3. THE INSTALLATION PROCESS OF Start

802.1X Install RADIUS on Authentication

Wireless networks provide an alternative networking option Server(Laptop)
when traditional wired networks are impractical. The Ubuntu
Server is the operating system which provides secure wireless Listening on authentication address * port 1812
Listening on accounting address * port 1813
local area network (WLAN). The flowcharts shown in Figure Listening on proxy address * port 1814
2 provide comprehensive guidance on how to install the Ready to process requests
802.1X protocol (Successful & Failure Authentication
process) onto portable laptop. Access-Request
[sql] expand: %{User-Name} -> free
[sql] sql_set_user escaped user --> 'free'
[sql] User found in radcheck table
Found Auth-Type = EAP
Start Sending Access-Challenge
Finishing request 0
processing type peap
Install RADIUS on Authentication In SSL Handshake Phase
Server(Laptop) In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
Sending Access-Challenge
Listening on authentication address * port 1812 Finishing request 1
Listening on accounting address * port 1813
Listening on proxy address * port 1814
SSL negotiation finished successfully
Ready to process requests SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
Access-Request Sending Access-Challenge
User-Name = "wdwd" Finishing request 2
[sql] User wdwd not found
++[sql] returns notfound [peap] processing EAP-TLS
WARNING! No password found for the user. Authentication may fail [peap] Received TLS ACK
[peap] ACK handshake is finished
Sending Access-Challenge [peap] EAPTLS_SUCCESS
Finishing request 0 Sending Access-Challenge
Finishing request 3

SSL: SSL_read failed inside of TLS (-1), TLS [eap] EAP Identity
[eap] processing type mschapv2
session fails. rlm_eap_mschapv2: Issuing Challenge
TLS receive handshake failed during operation Sending Access-Challenge
Finishing request 1 Finishing request 4

[mschapv2] +- entering group MS-CHAP {...}

[mschap] Creating challenge hash with username: free
[mschap] Told to do MS-CHAPv2 for free with NT-Password
Failed in EAP select
MSCHAP Success
Failed to authenticate the user. Sending Access-Challenge
Using Post-Auth-Type Reject Finishing request 5
+- entering group REJECT {...}
VALUES ('wdwd','Access-Reject', '2013-11-30 12:56:35') (username, pass, reply, authdate)
VALUES ('free', '', 'Access-Accept', '2013-09-30 17:31:21')
Sending Access-Reject [peap] Tunneled authentication was successful.
[peap] SUCCESS
Sending Access-Challenge
Finishing request 6
Cleaning up request 0 ID 0 with timestamp +20
Cleaning up request 1 ID 1 with timestamp +20 [peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
Cleaning up request 2 ID 2 with timestamp +20 [peap] Received EAP-TLV response.
Ready to process requests. [peap] Success
[peap] Using saved attributes from the original Access-Accept
Sending Access-Challenge
Finishing request 7

Finish
Cleaning up request 0 ID 95 with timestamp +265
Cleaning up request 1 ID 96 with timestamp +265
A- Failure process Cleaning up request 2 ID 97 with timestamp +265
Cleaning up request 3 ID 98 with timestamp +265
Cleaning up request 4 ID 99 with timestamp +265
Cleaning up request 5 ID 100 with timestamp +265
Cleaning up request 6 ID 101 with timestamp +265
Cleaning up request 7 ID 102 with timestamp +265
Ready to process requests.

Finish

B- Successful process

Fig 2: Successful and Failure processes according to the 802.1X protocol

41
 International Journal of Computer Applications (0975 – 8887)
Volume 87 – No.4, February 2014

4. PRACTICAL RESULTS
4.1 Successfully access process
As mentioned in the figure 2, The Authentication between the
portable laptop and any mobility needs eight basic stages
(request 0–request 7) to be a successful process.
Figure 3 displays some of the successful process results
between the portable laptop and M3.

A- Starting of authentication process & checking the username

B- Selecting authentication type & sending Access-Challenge

C- SSL connection established & finishing request 2

D- ACK handshaking & tunnel established

E- MS-CHAPv2 is the method using in authentication process

42
 International Journal of Computer Applications (0975 – 8887)
Volume 87 – No.4, February 2014

F- Appling hash function using MS-CHAPv2

G- Access-Accept of the authentication process

H- Finishing of all requests & ready to another process requests

Fig 3: shows the processing steps of the authentication between the portable laptop and M3
4.2 Failure access request
The unsuccessful authentication process passes through three
stages only, It begins with request 0 and ends with request 2,
the process of checking user’s access (wdwd as a username) is
achieved in the first stage, the authentication between the
laptop and M4 will be failed because of the obstacle between
them. Figure 4 shows the steps of a failed authentication
process.

A- Trying another user name

43
 International Journal of Computer Applications (0975 – 8887)
Volume 87 – No.4, February 2014

B- This username does not exist in RADIUS

database

C- No password found for this username database

D- Failure of EAP selection & Putting username in rejecting group

E- Sending Access-Reject & Ready to process other requests

Fig 4: shows the unsuccessful authentication between the portable laptop and M4

44
 International Journal of Computer Applications (0975 – 8887)
Volume 87 – No.4, February 2014

4.3 Comparison between the authentication
process of Galaxy note, iPhone and laptop
By taking samples from each of the eight stages of successful
authentication of Android, IOS and windows 7 operating
systems, Table (1) shows a comparison between the different
devices under test.
Table 1. A comparison between the authentication
process of Galaxy note, iPhone and laptop
802.1x so secure against different hackers attacks. Concerning
the devices under test, this paper proves that Samsung Galaxy
Note provides higher security than the other types.
6. REFERENCES
[1] YongYu, Qun Wang, Van Jiang, “Research on Security
of the WLAN Campus Network” International
Conference on E-Health Networking, Digital Ecosystems
and Technologies, 2010.

Galaxy [2] M. Hasbullah Mazlan, Sharifah H.S. Ariffin, Mohammed

IPhone Laptop Balfaqih, S.Norhaizum M.Hasnan, Shariq Haseeb,
note
“Latency evaluation ofauthentication protocols
Operating Windows incentralized 802.11 architecture”, Universiti Teknologi
Android IOS
system 7 Malaysia (UTM), 2012.
Request (0, 1, [3] Snehasish Parhi, “Attacks Due to Flaw of Protocols Used
Identical Identical Identical In Network Access Control (NAC) “, Their Solutions and
2, 3)
Issues: A Survey, I. J. Computer Network and
NO of EAP Information Security, 2012.
4 2 2
Messages
[4] IEEE Standards, “IEEE Standard for Local and
Acct-Interim-
Metropolitan Area Networks - Port-Based Network
Interval 60 60 −
Access Control“, 2010.
(Request 4)
Replacing [5] Alexandra Chiornita, Laura Gheorghe, Daniel Rosner,
Replacing “A Practical Analysis of EAP Authentication Methods,
Request (5) User- −
User-Password Faculty of Automatic Control and Computers“, IEEE
Password
International Conference ,2010.
Request (6, 7) Identical Identical Identical
[6] Ling-Wei Zhou, Sheng-ju Sang, “Analysis and
Improvements of PEAP Protocol in WLAN”,
Appendix [A] shows samples of the results which are International Symposium on Information Technology in
obtained during the authentication processes of the different Medicine and Education, 2012.
operating systems and mobiles (devices). [7] Hadeel Tariq Al-Rayes, “Studying Main Differences
between Android & Linux Operating Systems”,
5. CONCLUSION International Journal of Electrical & Computer Sciences
The security protocol 802.1x is Characterized by its capability IJECS-IJENS Vol:12 No:05, 2012.
of working with different types of devices (Samsung Galaxy [8] Øystein Gyland, Tom Myren, Rune Sydskjør, Gunnar
Note, iPhone and Laptop) and under various operating Bøe,”Implementation of IEEE 802.1X in Wired
systems such as Android, IOS and Windows 7. Networks”, UNINETT led working group on security
It is found that eight stages are required for successful (UFS 133), 2013.
authentication (i.e. Authorized user). On the other hand, it is [9] Dirk van der Walt, “FreeRADIUS Beginner's Guide
also proven that in the case of unauthorized users or the Manage your network resources with FreeRADIUS”,
presence of obstacles between the client and the authenticator, PACKT publishing, BIRMINGHAM – MUMBAI, 2011.
three stages are sufficient to stop authentication process.
[10] Liran Tal of Enginx, “Virtual Machine daloRADIUS
As a consequence, the remaining stages will be hidden and Administrator Guide Version 0.9-9”, 2011.
out of reach by the unauthorized users. This fact makes

45
 International Journal of Computer Applications (0975 – 8887)
Volume 87 – No.4, February 2014

Appendix [A]
Samples of authentication process

1- The following figure shows the number of EAP messages

required during the authentication process of the different
devices.

2- The displayed page below shows that password warning is

presented in Android and IOS, but it is absent in windows 7.

IJCATM : www.ijcaonline.org 46

View publication stats