Authentication System-802.1x Protocol Introduction

 

802.1x Protocol Introduction

802.1x Protocol Resolution
802.1X protocol is a LAN access control protocol that has just been standardized and complies with the IEEE 802 protocol set. It is called Port-based access control protocol.
Question control protocol. Based on the advantages of the IEEE 802 LAN, it provides a method to authenticate and authorize users connected to the LAN, so as to accept access from legitimate users,
To protect network security. 802.1x authentication, also known as EAPOE authentication, is mainly used for broadband IP address man.
 
802.1x Protocol Working Mechanism
The original design of the Ethernet technology "connectivity and sharing" makes the network system composed of Ethernet face many security problems. IEEE 802.1X protocol is proposed in this context and becomes an effective means to solve LAN security problems.

In 802.1X protocol, only the following three elements can be used to complete port-based access control user authentication and authorization.
 
Client: It is generally installed on a user's workstation. When the user needs to access the Internet, activate the client program and enter the necessary username and password. The client program will send a connection request.

Authentication System: In the Ethernet system, the authentication switch is used to upload and release user authentication information, and the port is opened or closed based on the authentication result.

Authentication Server: checks the identity (user name and password) sent by the client to determine whether the user has the right to use the network service provided by the network system, the switch is enabled or the port is closed according to the authentication result.

In a network system with 802.1X authentication, the following authentication process must be completed before a user needs to access network resources.
 
1. When a user needs to access the Internet, open the 802.1X client program, enter the user name and password that have been applied for and registered, and initiate a connection request. In this case, the client sends the authentication request message to the switch and starts an authentication process.
2. After receiving the data frame requested for authentication, the switch sends a request frame requesting the user's client program to send the user name.
3. The client sends the user name information to the switch through data frame in response to the request sent by the switch. The switch sends the data frames sent from the client to the authentication server after being packaged for processing.
4. after receiving the user name forwarded by the switch, the authentication server compares the information with the user name table in the database and finds the password information corresponding to the user name, it is encrypted with a random encrypted word, and the encrypted word is also sent to the switch, and the switch is sent to the client program.
5. After receiving the encrypted word from the switch, the client program encrypts the password part (this encryption algorithm is usually irreversible) and passes it to the authentication server through the switch.
6. the authentication server compares the sent encrypted password information with its own encrypted password information. If the information is the same, the authentication server considers the user as a legal user, feedback the authentication message, and send a port opening command to the switch, allowing the user's business flow to access the network through the port. Otherwise, the authentication failure message is fed back and the switch port is closed. Only authentication information data is allowed, but service data is not allowed to pass.

It is worth noting that when the client exchanges password information with the authentication server, the password is not directly sent to the network in plaintext for transmission, instead, it performs irreversible encryption algorithm processing on the password information, so that the sensitive information transmitted over the network has a higher security guarantee, this prevents sensitive information leakage due to the broadcast characteristics of lower-level access devices.
 
In 802.1X solution, Port Access Control Mode Based on MAC address is usually used. This mode will reduce the network construction cost and the performance requirements of the authentication server. This access control method should be used to prevent network security problems caused by MAC and IP address counterfeiting.
 
Counterfeit MAC addresses
When an access-level switch is connected to another access-level switch under a physical port of the authentication switch, user a on the access switch has been authenticated and the network resources are used normally, then, in the physical port of the authentication switch, the MAC address of user a's terminal device is set to allow sending business data.
If user B under the same access switch changes his MAC address to the same as user a's MAC address, then user B can use network resources even if user B does not pass the authentication process, in this way, the network security is vulnerable. In this case, the network switch uses the MAC address + IP Address binding function on the switch that implements 802.1X authentication and authorization to prevent unauthorized access by users with fake mac addresses.
 
For a network system that dynamically allocates IP addresses, an invalid user cannot obtain the IP addresses that other users will assign in advance. Therefore, even if he knows the MAC address of a user, he cannot forge an IP address, therefore, you cannot impersonate a legitimate user to access network resources.
 
For the static address allocation scheme, because two terminal devices with the same IP address will inevitably cause IP address conflicts, it is not feasible to counterfeit both the MAC address and IP address.
 
If the counterfeits and legitimate users belong to two different physical ports of the authentication switch, the counterfeits even know the MAC address of the legitimate user, because the MAC address is not the same physical port, counterfeits still cannot access the network system.

 
Counterfeit IP addresses
Because 802.1X adopts a layer-2 authentication method, when using a dynamic Address Allocation Scheme, only after the user passes authentication can the IP address be allocated.
 
In a static Address Allocation Policy, if an IP address is impersonated and fails to pass authentication, the address does not conflict with the valid user who is using the address. If the user can pass authentication but impersonate the IP address of another user, the user's access is controlled by binding the IP address + MAC address on the authentication switch. This makes it impossible for counterfeited users to perform normal business communication, so as to prevent IP addresses from being tampered with or counterfeited.

Handling of user password theft and spread
In systems using 802.1X authentication protocol, there are many cases of user password theft and password spread. In such cases, it is possible to restrict simultaneous access to the same
The number of requests for account name and password authentication information to control user access and avoid unauthorized access to the network system.