Enhancing 802.1X authentication using digital identity systems and EAP

This thesis presents the design, implementation, and evaluation of EAP-SPID, a novel authentication method that integrates the Italian digital identity system SPID into the IEEE 802.1X framework. The key aim of this work is to overcome the weaknesses of traditional network access control by leveraging federated identity management so that users can authenticate with their federated credentials in enterprise and public network environments. The proposed solution extends the Extensible Authentication Protocol (EAP) by introducing EAP-SPID, which exploits SPID’s SAML-based infrastructure, but at the same time operates under the requirements of 802.1X and the EAP framework to maintain compatibility with existing 802.1X deployments. A prototype was developed, consisting of a custom implementation in hostapd and wpa_supplicant, together with a dedicated Service Provider backend deployed on a public AWS EC2 instance. To validate the interoperability and functioning of the implementation, the official SPID Demo Identity Provider was used in a controlled environment using virtual machines. In the evaluation of EAP-SPID performance, the protocol was compared with established methods such as EAP-TLS and EAP-PEAP (MSCHAPv2). Results highlight an additional latency introduced by EAP-SPID because of its polling-based synchronization mechanism and required user interaction, but also significant benefits in terms of usability, security, and federated identity integration. Additionally, the limitations of the current design are analyzed, as well as possible future improvements such as mobile app integration and optimized backend communication. This work demonstrates how it is possible to exploit federated digital identities into 802.1X networks, making it an opportunity for adoption in all those environments where secure network access and user-friendly authentication are essential.