Detailed analysis of 802.1x access applications

I analyzed the 802.1x protocol access application in detail. Some time ago, my colleague asked me about the 802.1x Protocol. At that time, I did not give a positive answer, because I was also the first to encounter such a problem, in the following days, I have consulted relevant materials and are satisfied with the following answers. Share it with you now!

In recent years, broadband network access has gradually become a hot topic in network technology. The construction of broadband networks is booming, and services are in full swing, making it a new economic growth point for network operators. At present, broadband access methods are widely used, such as HFCs, xDSL, and LAN access. Among them, switched Ethernet access is the mainstream solution for campus network construction, featuring high bandwidth, mature technology, and low cost, the advantages of ease of construction and ease of management have become the preferred access method for network operators.

However, due to the use of the broadcast mechanism, the Traditional Ethernet access method has poor security and limits its application in public access networks. To solve this problem, PPPoE or Web + DHCP solutions are widely used, but neither of them can effectively solve the authentication security problem.

The 802.1x protocol proposed by the IEEE 802.1 Committee implements user authentication and authorization based on Ethernet switches, which provides operators with a more practical and secure user management method. This article describes the basic principles of 802.1x and Its Applications in broadband access networks.

1. 802.1x protocol structure and basic principles

1.1 802.1x protocol

Later in 1990s, The IEEE802LAN/WAN Committee proposed 802.1x protocol to solve the problem of Wireless LAN network security. Later, 802.1x, as a common access control mechanism for LAN ports, was used in Ethernet to solve problems of Intranet authentication and security. 802.1x is called Port-based access control protocol portbasednetworkaccesscontrolprotocol. The core content of this protocol is 1.

An EAPextensibleauthenticationprotocol) proxy is placed on the Ethernet switch near the user side, and the client software running EAPoEEAPoverEthernet on the user PC communicates with the switch. In the initial state, all ports on the vswitch are disabled.

Only 802.1x data streams can pass, while other types of network data streams, such as Dynamic Host Configuration Protocol, Hypertext Transfer Protocol (HTTP), file transfer protocol (FTP), and Simple Mail Transfer Protocol (SMTP) and Post Office Protocol POP3.
　
When a user logs on to the vswitch through EAPoE, The vswitch sends the username and password provided by the user to the backend Radius Authentication Server. If the user name and password are verified, the corresponding Ethernet port is opened to allow access.

1.2 architecture of 802.1x protocol

The architecture of 802.1x protocol includes three important parts: client supplicantsystem), authentication system authenticatorsystem, and authentication server authenticationserversystem ). Figure 2 describes the relationship between the three and the communication between them. The customer system installs a client software. The user initiates the 802.1x protocol authentication process by starting the client software. To support port-based access control, the client system must support the EAPoLEAPoverLAN protocol.

The authentication system is usually a network device that supports 802.1x protocol. The device has two logical ports: The Controlled Port and the uncontrolled port, which correspond to ports of different users. The uncontrolled port is always in a two-way connection state. It is mainly used to transmit EAPoL protocol frames to ensure that the client can always send or receive authentication.

The Controlled Port is opened only after the authentication is passed to transfer network resources and services. If the user fails authentication and the controlled port is in the unauthenticated status, the user cannot access the services provided by the authentication system. The controlled port can be configured in two ways: bidirectional control and only controlled input to adapt to different application environments.

The port access entity of the authentication system communicates with the client port access entity through an uncontrolled port, and the EAPoL protocol is run between the two. The port access entity of the authentication system runs the EAP protocol with the authentication server. The EAP protocol is not the only way for the authentication system to communicate with the authentication server. Other communication channels can also be used. For example, if the Authentication System and the authentication server are integrated, the communication between the two entities can not adopt the EAP protocol.

The authentication server is usually a RADIUS server that stores user information. For example, the user's account, password, VLAN, CAR parameter, priority, and user access control list. After the user passes the authentication, the authentication server will pass the user's related information to the authentication system. The authentication system will construct a dynamic access control list, and the user's subsequent traffic will be monitored by the above parameters. The authentication server and the RADIUS server communicate with each other through the EAP protocol.

1.3 802.1x protocol Working Mechanism

802.1x protocol working mechanism 3. As shown in figure 3, authentication initiation can be initiated by the user or the authentication system. When the authentication system detects that an unauthenticated user uses the network, it initiates authentication. The user end can send the EAPoL-Start packet to the authentication system through the client software to initiate authentication. The client sends the EAPoL Exit message and takes the initiative to go offline. The direct result of exiting the authenticated status is that the user goes offline. If the user wants to continue accessing the internet, another authentication process is initiated.

In order to ensure that the link between the user and the authentication system is in the active state, and not to cause abnormal crashes due to the fault of the user end equipment, this affects the accuracy of user billing, the authentication system can initiate the re-authentication process on a regular basis. This process is transparent to users, that is, users do not need to enter the user name/password again. Re-authentication is initiated by the authentication system, starting from the last successful authentication. The default reauthentication time is 3600 s, and the default re-authentication is disabled.

The authentication system is responsible for re-transmitting the packets if any loss occurs to the EAP messages that the authentication system communicates with clients. When setting the retransmission time and considering the actual network environment, it is generally considered that the probability of packet loss between the Authentication System and the client is relatively low and the transmission delay is short, therefore, a timeout counter is usually used to set the default retransmission time to 30 s.

The client is responsible for retransmission of some packet loss and retransmission, for example, the loss of EAPoL-Start packets. However, the client cannot identify EAP failure and EAP success packets, the authentication system does not retransmit data. Because authentication of user identity legitimacy is ultimately performed by the authentication server, packet loss and retransmission between the Authentication System and the authentication server are also very important.

In addition, for user authentication, only after 802.1x authentication is passed can DHCP initiation and IP Address allocation be performed. Because the client terminal is configured with DHCP to automatically obtain the IP address, a DHCP request may be initiated before the 802.1x client is started. At this time, the authentication system is not allowed to pass, in this way, the authentication system will discard the initialization DHCP frame and trigger the authentication system to initiate user authentication.

Because the DHCP request time-out process is 64 s, if the 802.1x authentication process can be completed within 64 s, the DHCP request will not time out and the address request can be successfully completed; if the terminal software supports DHCP after authentication, you do not need to consider the 64 s timeout limit.

1.4 802.1x authentication process

The 802.1x authentication process is the process of user interaction with the server. The authentication steps are as follows.

◆ After the user starts up, the user initiates a request through the 802.1x client software to query the devices that can process EAPoL data packets on the network. If a verification device can process EAPoL data packets, it will send a response packet to the client and ask the user to provide a valid identity, such as the user name and password.

◆ After the client receives a response from the verification device, it provides the identity to the Verification Device. Because the client has not yet been verified, the authentication flow can only pass through the uncontrolled logical port of the authentication device. The authentication device sends the authentication to the AAA Server through the EAP protocol for authentication.

◆ If the authentication succeeds, the controlled logical port of the authentication system is opened.

◆ The client software initiates a DHCP request and the authenticated device forwards the request to the DHCPServer.

◆ DHCPServer assigns an IP address to the user.

◆ The address information allocated by the DHCPServer is returned to the authentication system. The authentication system records user information, such as MAC and IP addresses, and establishes a dynamic ACL access list to restrict user permissions.

◆ When the authentication device detects the user's Internet traffic, it will send the billing information to the authentication server and start billing for the user.

◆ If the user exits the network, the user can initiate the exit process through the client software. After the authentication device detects the packet, it will notify the AAA Server to stop billing, and delete user-related information such as the physical address and IP address), the controlled logical port is closed, and the user enters the re-Authentication status.

◆ Verify that the device ensures link activation through regular detection. If the user is abnormal and crashes, the device automatically determines that the user has gone offline after multiple detection attempts, and sends the information about the termination of billing to the authentication server.

2 Comparison of several authentication methods

Currently, in addition to 802.1x, PPPoE and Web + DHCP are supported as authentication methods in the access network. These authentication methods are compared here. The essence of PPPoE is to run the PPP protocol over Ethernet. Because the first phase of the PPP authentication process is the discovery phase, broadcast can only be found on a L2 network.

Therefore, there cannot be a vro or a layer-3 switch between the host and the server. In addition, due to the point-to-point nature of PPPoE, the multicast protocol is restricted between the user host and the server. In this way, the video service will be affected to a certain extent. In addition, the PPP protocol needs to be encapsulated into Ethernet again, so the efficiency is very low.

When Web + DHCP adopts a bypass network architecture, similar bandwidth management cannot be performed on users. In addition, DHCP dynamically allocates IP addresses, but its maturity and the support of devices for this method are still relatively small. Therefore, in terms of preventing IP addresses from being stolen, additional measures are also needed to control. In addition, user connectivity is poor, and ease of use is not good enough.

802.1x is a layer-2 protocol, which does not need to reach layer-3, and the access switch does not need to support 802.1q VLAN. It does not have high requirements on the overall performance of the device and can effectively reduce the network construction cost. Business packets are directly carried on normal L2 packets. After the user passes authentication, the business flow and authentication flow are separated, and there are no special requirements for subsequent packet processing. During the authentication process, 802.1x does not need to encapsulate frames into the Ethernet, and the efficiency is relatively high.

3 Application of 802.1x protocol in broadband access

Taking residential broadband access as an example, we discuss the application of 802.1x protocol in broadband access. The Application of 802.1x protocol in residential broadband access is not complex. The access switch must support 802.1x protocol, and the RadiusServer and DHCP server must exist to complete authentication. For a cell with a small number of users, you only need to install an 802.1x switch at the exit of the entire cell. For a cell with a large number of users, you can place an 802.1x switch in each building, each vswitch can be connected to the aggregation center.

Figure 4 shows a residential broadband access network topology based on 802.1x protocol. This solution is equivalent to the common switch access solution in terms of performance, but it has unparalleled advantages in terms of security. The authentication steps for the user and the switch are the same as those for the 802.1x protocol during the user's access to the broadband network.

It should be noted that the user sends authentication packets using a specific multicast MAC address, and the device sends the user's packets using the unicast MAC address, which solves the broadcast problem of authentication packets, other users cannot listen to the authentication process, so they cannot know the user's password, account, and MAC address. After authentication, the MAC address is bound to the port. In the communication process, you can ensure that the network path is unique. In this way, the data packets of authenticated users are not leaked, ensuring the security of user data.

4 Conclusion

This article briefly analyzes the 802.1x protocol and its working principle, and designs a scheme of 802.1x-based residential broadband access system. This scheme gives full play to the advantages of switched Ethernet access, it can effectively solve network authentication and security problems. Considering the needs of access network security, we can be certain that 802.1x, as a security solution for broadband network access, will surely become the mainstream of future development.