802.1X user authentication process
802.1X provides a user-authenticated framework for any local area network, including WLAN, and when the workstation is associated with an access point, the workstation can
Start the 802.1X frame exchange process and try to obtain authorization. After the 802.1X authentication exchange and key allocation is complete, the user will receive an interface that has been enabled
News. In this example, a radius is a back-end authentication server, and the authentication process is shown in the following figure:
1. The applicant is linked to the 802.11 network.
2, the applicant to send a eapol-start frame, the beginning of the 802.1X frame exchange process, this process is not necessary, not all applicants have to send eapol-start frames, so there may not be this step.
3, the EAP frame Exchange process begins, the authenticator (access point) sends a eap-request/identity frame. If the access point only forwards this frame for a successfully authenticated association, there may not be a eapol-start frame before the request/identity frame is sent. Unsolicited eap-request/identity frames are used to indicate that the requester must be 802.1X certified.
4, the applicant to response/identity frame to reply, this frame is then converted to Radius-access-request frame sent to the authentication server.
5. The RADIUS server determines which type of authentication needs to be used, and specifies the authentication method in the sent Eap-request, Eap-request is encapsulated in the Radius-access-challenge packet sent to the access point. When the access point receives the packet and sends the eap-request to the requester, Eap-request is typically represented as Eap-request/method, where method represents the methodology used for authentication. If PEAP is currently used, the returned packets are represented as eap-request/peap.
6, the applicant from the user to obtain a response, and then return to Eap-response, the authenticator will convert the response to Radius-access-request packet, the response to the challenge information is stored in the data field.
Step 5 and Step 6 are repeated repeatedly, knowing that the certification is complete. If you are using an EAP authentication method that requires a certificate exchange, you will inevitably need to repeat these steps several times. Some EAP exchanges may require 10 to 20 iterations between the client and the RADIUS server.
7. Since the RADIUS server sends a RADIUS-ACCESS-ACCEPT packet to allow the other party to access the network, the authenticator sends a eap-success frame and authorizes the connection port. Access permissions can also be determined by the parameters returned by the RADIUS server.
8, after receiving the Access-accept packet, the access point will immediately use the Eap-key frame to assign the key to the applicant.
9, once the applicant installs the secret key, you can start to transfer data frames to access the network. DHCP configuration is usually done at this time.
10, when the applicant no longer needs to access the network, will send a eapol-logoff message, the connection port to revert to an unauthorized state.
The 802.1X switching process can be performed at any point in time, and the user does not need to send eapol-start messages to initiate the EAPOL exchange process. At any time, the applicant can start the EAPOL exchange process and send eap-request/identity frames to update the authentication data. Re-authentication is usually required because the session times out and the secret key must be updated. Key exchange frames are transmitted only after the authentication is complete, which prevents the secret key from leaking out. Eapol-key frames can also be used to update keys on a regular basis.