Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

Ring the Bell, 802.1x is Dead

Cyber Bob, Principal Security Engineer and CTO at Forescout | July 31, 2019

Twitter: @MeetCyberBob

Those of you that have worked with me for the past few years know that the language and success of RADIUS Port Authentication have been a part of my DNA for many years… I feel comfortable with the language it speaks but have never been comfortable with the disruption it presents.

We’ve all at some point received a gift from a family member that we have had to keep for a while. But then you move, or spring cleaning comes along, and out it goes into the bin. This is exactly what is happening on enterprise campuses everywhere. Why?

RADIUS authentication promised the world– leading us to super-strong authentication with 802.1x. Then the default actually became MAC Auth Bypass. The auditors’ first ingress into the network, a quick hit to show the risk. It is quite easy to identify ports or IoT devices, printers, TVs, refrigerators – you name it from the small device boom, and you have probably just named yet another device that does not have a supplicant. Supplicants are required for 802.1x to work. It also needs credentials like a certificate or user ID/password. This is next to impossible without a central management console for all these devices.

Market research firms are claiming the number of devices will grow to 30-40 billion in the next few years… so we can see why 802.1x is dying, at least for the wired campus. With wireless there are significant benefits to 802.1x, especially for Encryption Key Management.

But for the wired network, 802.1x is dead.

Now, what do you do instead?

Honestly, there is a LOT that can be done. Did anyone hear of Zero Trust networking? I can tell you this is done on scale and without 802.1x. Let me repeat… ON SCALE in large campuses, data centers, and operational technology environments. Zero Trust networking also leads to efficient cross-vendor segmentation to reduce horizontal visibility/access.

Think about it from another perspective. RADIUS authentication on the wired network needs something. That comfortable “click” into the docking station or wall jack needs to offer service. Fast. When it fails, what happens? A help desk ticket is opened, or a phone call is made.  Then the endpoint, network and server teams are usually working together to solve a SINGLE workstation failure. This does NOT scale. Usually if there’s a failure the MAC Auth bypass list is adjusted, but never cleaned up – especially in larger organizations. This is where the risk just grows and grows for your organization. You don’t want that to lead to your company headlining on the daily news.

Do yourself a favor – ask yourself some business questions.

  • What am I protecting? (Think about people and processes as well as technology.)
  • Am I adding complexity, but significantly reducing onboarding? Increasing productivity?
  • Is there management overhead that just has to be accepted?
  • What happens if we do nothing?

Do those questions lead you to any of these responses…?

  • Automation is limited and would require a massive level of effort and training.
  • We’d require software updates, agents, or there would be no improvement moving to real-time.
  • This cannot be automated; the network vendor cannot provide the tool.

If so, maybe you are looking at the wrong tools. Because if you look at these questions for your wired network and still come back with the idea of using 802.1x, you are not trying to solve a business problem… you are trying to attach horseshoes to a brand-new car and call it a horse.

Demo Request Forescout Platform Top of Page