Several months ago I learned from Svyatoslav Pidgorny, Microsoft MVP for security, about a problem in 802.1X that makes it essentially useless for protecting wired networks from rogue machines. Initially I was a bit skeptical, but the attack he described is in fact true — I’ve seen it myself now. So I’ve been explaining the attack at conferences lately and have also included information about it in the book. However, I don’t believe the danger presented by wired 802.1X is getting enough reach, so I’ve written about it in the August security management column.
As you read the article, remember that the vulnerability enabling the attack is a fundamental weakness in the protocol — it authenticates only upon connection establishment and assumes all traffic after authentication is legitimate. The vulnerabiliy exists in wired networks because there’s no follow-on packet authentication. You really should be using domain isloation with IPsec to thwart rogue machines, and at the article’s end are links to information about that. Also, understand this particular vulnerability isn’t present in 802.1X-protected wireless networks, because the authenticators and supplicants have established authentication and encryption keys that protect individual 802.11 frames.