Thursday, August 18, 2011
Why 802.1X makes sense
As promised yesterday, today’s topic is the mystery of IEEE 802.1X. This standard comes from the Ethernet corner; many of you probably already know the wireless IEEE 802.11 standard for wireless LAN. And actually 802.1X is heavily used for wireless access points; this is where you have to enter your passwords before you can join a wireless LAN. For wired LAN I also developed my own simple formula for 802.1X: At makes sure nobody plugs a router into the network!
The story goes like this: One morning, the admin came back to work, and guess what: Nothing works. Why? There is a 2nd DHCP server in the network, and it should not be there! It took the admin one or two hours of hard work to figure that out, and the boss is already sending the first people home. Admin starts to sweat! The building has ten floors, and each floor has 100 rooms. Sending an email around who the heck has plugged a router into the network does not help—because everyone is offline from email!!! Admin starts opening doors on floor 1. First room: “Did you plug a router in?!” Nope. Next room. Nope, next, next, next. One hour later, next floor. Nope, nope, nope, next floor. Everybody gone home already, nobody even left for asking. Admin really starts to sweat. Top floor (okay here the story becomes unrealistic because in a real company there are no developers on the top floor). Admin spots a check 50 USD dollar router plugged into the network, takes it out. Voila! The network starts to work again. Too late, everybody already gone home!
I witnessed this situation three times already, believe it or not. First time it was in snom, and yes one of the developers wanted to test out a DSL router. It took only two hours to get that figured out. The second time was in a hotel, I was surprised that the first time I got a 192.168.x.x address and then later I got a 10.x.x.x address. The hotel management had to print out letters and slide it under the doors of all rooms, with apologies and if someone accidentally started a DHCP server. It was fun! It turned out someone was running a virtual machine and he forgot to turn the DHCP server off on one of the machines (wasn’t me). Well the third time was actually when I was travelling to Japan and I had my DSL router with me… How else can you work on VoIP phones in the hotel room? Must have plugged the cable into the wrong port… Anyway, it took hours until the hotel network was back… I put my router into the luggage later so that housekeeping could not blow the whistle!
So, long story short: A stupid tiny device can break the whole network or what? That’s where 802.1X comes in. It should simply not be allowed to plug unidentified devices into the network.
That’s why in many large networks, you first need to say who you are before you are allowed to enter the network. Actually, in many cases 802.1X is linked to VLAN as well. If you don’t authenticate, you’ll land in the general-purpose VLAN, where such things like multiple DHCP server can happen. This is typically the network that you get in the meeting room of large companies. But if you are able to authenticate properly, you land in “your” VLAN. That actually even makes LLDP superfluous. For our snom m9 device, it 802.1X is set up properly, the switch will automatically move the link into the voice VLAN. Neat!!!
802.1X has many ways for authentication. What we support on the m9 is the digest authentication, just like on the SIP registration. There are some other ways, especially certificate-based methods, but we figured that for right now a simple username/password-based authentication would solve the problem. So essentially what you have to provide, is a username and a password. This is sent to the switch even before LLDP kicks in, and as I said before, LLDP might not even be necessary any more after the device has successfully authenticated itself.