0

In 802.1x does the client authenticate with the certificate containing the privat e key e.g. is the private key stored on the device that is wishing to access a given resource network ?

cyzczy
  • 1,518
  • 5
  • 21
  • 34
  • https://en.wikipedia.org/wiki/IEEE_802.1 – mootmoot Apr 21 '17 at 12:20
  • and now tell me which of the pages answers my question ? I know them. All it says "With 802.1X port-based authentication, the supplicant provides credentials, such as user name/password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. " I guess it's the private cert but want to make sure. – cyzczy Apr 21 '17 at 12:27
  • The short answer is yes. The longer answer is : device can always generate its own private key from time to time. – mootmoot Apr 21 '17 at 12:40

1 Answers1

1

is the private key stored on the device that is wishing to access a given resource network ...

For authentication using public-key cryptography as done in 802.1x or in TLS certificates the authenticating party needs to proof ownership of the private key. This is done by doing cryptographic operations using this private key, typically by signing some value given by the peer or derived from a value given by the peer.

Such cryptographic operations can be done by some software running inside the clients operating system if the private key is accessible to the system, i.e. typically stored on the file system. But it could also be done by some special hardware integrated or associated with the system, like a smart card, TPM, HSM or similar. Such operations could also be done on a remote system like in Cloudflare Keyless SSL.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thank you. One question though. If I have a PKI solution in place and it's performing auto enrollement would it then generate the certificate for the user or rather his device, what would be the best way to handle this? – cyzczy Apr 22 '17 at 07:28
  • @adam86: From my understanding of your comment it might be somehow related to your original question but is actually mainly a new question. In this case it is not a good idea to use a comment to ask it. Instead please ask a new question so you can get better input. But you should probably add more details to your question than you currently have in the comment. – Steffen Ullrich Apr 22 '17 at 07:36