That's a lot of questions, so let's take them one by one.
What exactly is 802.1X Port-Based Authentication?
From Wikipedia :
IEEE 802.1X is an IEEE Standard for port-based Network Access Control
(PNAC). It is part of the IEEE 802.1 group of networking protocols. It
provides an authentication mechanism to devices wishing to attach to a
LAN or WLAN.
In other words, it is a mechanism used in (mostly) switches and wireless access-points to allow or block devices to access the network (or granularly allow access to parts of it).
For example if you have a network port in a meeting room, you can enable 802.1x on the switchport and configure it in such a way that when an employee connects she has access to the entire network but if a guest connects (with a temporary password) he can only reach the Internet and if a passer-by is tempted to try his luck, he cannot access anything at all.
Doesn't it also use RADIUS as it's underlying authentication mechanism?
Yes and no. 802.1x uses Extensible Authentication Protocol (EAP), and the wikipedia article about 802.1x has this nice drawing that shows that for wired 802.1x:
- EAP over LAN (EAPoL) is used between the Supplicant (software on your laptop) and the Authenticator (switch)
- EAP is then usually tunnelled over Radius between the Authenticator and the Authentication Server, but it can also be done over Diameter (the successor to Radius)
For wireless it is similar in the sense that there is also no Radius between the supplicant and the authenticator, only between the authenticator and the auth server (to tunnel the EAP).
Now the Extensible in EAP's name is very true, there are dozens of EAP protocols that you can choose from, some will use passwords, others certificates or both, etc. etc.
What are their differences?
Well, it's a bit like comparing apples and oranges.
Dot1x is not really a protocol but more a framework in which protocols like EAPoL and Radius are used.
Simplified (maybe over-simplified?) you could say:
- Radius is typically used as a 'simple' authentication method to control who can login to a router (or other device), or who can connect using a VPN client. Sometimes also for authorization, e.g. to determine the privilege-level when you log in to a router, or to push a dynamic access-list for a vpn user.
- Dot1x is typically used to control access to switchports and wifi.
And if we can somehow compare them, which one is more secure?
I don't believe (but anyone please correct me) that there are scenarios where you can choose between one or the other. It may make miore sense to compare Radius and EAP, to some extent.
Some things to consider:
- EAP is end-to-end while Radius is only used between the Authenticator and the Authentication Server and so you need to make sure that the part between the client and the Authenticator is also secured; e.g. use SSH instead of telnet to log in to your router.
- similarly some (but not all) EAP methods can be used for mutual authentication (between the supplicant and the authentication server!), in the Radius case it depends again on what protocol is used between client and authenticator.
- EAP is as secure as the EAP method you select (e.g. LEAP or EAP-MD5 are weak)
802.1X does perform either a computer or a user authentication to allow the network access.
NAC is a generic term designing any form of Network Access Control.
Then 802.1X is one kind of NAC. I consider 802.1X to be the standard of NAC.
Beware here of the abbreviation collision around NAC which stands for Network Access Control and Network Admission Control.
Network Admission Control (origin Cisco) and Network Access Protection (origin Microsoft) are also two commercial NAC (Network Access Control)
going further than the standard 802.1X. They verify that the connecting
operating system is in a correct state (through the checksum of some
components), and that the endpoint anti-virus is on and up to date.
NAC (Network Admission Control), the Cisco version is more network aware and less Windows addict. Unfortunatly this software solution stopped being supported by Cisco in 2011.
NAP (Network Access Protection), the Microsoft solution is more Windows aware and less network adapted.
From my own short experience, these 2 software solutions might be easily deceived as long as you get the control of the endpoint PC (Windows, MacOS X, Linux…). You can easily install an endpoint yes-agent replacing
the editor one.
Then I advise to stick to the 802... standards, which have their limitations and defaults, but with no hidden features which advantage the
attackers.
Best Answer
Frankly, no.
802.1X authenticates the port and as long as it is authenticated it participates in the network. Inserted or even modified frames by an otherwise transparent network device cannot be detected.
802.1X has had some serious attack vectors from the start and can only be regarded as a "better than nothing" approach. If you want serious port security you'll need 802.1AE aka MACsec.
Another approach (thx Ricky) is to forgo port-level security completely and instead rely on VPN connections you build on top of your physical network, basically moving the security up the stack. While this can be made very secure and backward compatible with just about any infrastructure, it may introduce bottlenecks at the VPN router(s) and their links.