First Knowledge 802.1x

802.1X Certified Typical topologies

Feature Description:

802.1X: The IEEE802.1X (port-based Network access Control) is a port-based , web-access management standard that provides a point-to-point, secure access to the LAN. This is a standard that is specifically developed by the IEEE Standards Board for security flaws in Ethernet, and provides a means of authenticating users connected to LAN devices based on the advantages of the IEEE 802 LAN.

The ultimate goal of 802.1X certification is to determine if a port is available . If the authentication is successful then "open" the port, if the authentication is not successful, so that the port remains "off";

Using 802.1X authentication can realize the real-name authentication and billing of the users, the SAM/SMP authentication scheme which is unique to Ruijie network can realize the flexible Internet control and billing strategy.

The role of the device

IEEE802.1X Standard certification system by the supplicant, certification, authentication server three roles, in practical applications, the three correspond to: Workstations (Client), equipment (network access Server,nas), Radius-server.

supplicant (supplicant)

The supplicant is the role of the end user, usually a personal pc. It requests access to the network service and responds to the authenticator's request message. The supplicant must run the software that complies with the IEEE 802.1X client standard, the most typical of which is the IEEE802.1X client support from the WindowsXP operating system, and we have also introduced the star supplicant software that complies with the client standard.

Certified by (NAS)

The authenticator is generally a switch and other access devices. The function of the device is to control its connection status to the network according to the current authentication state of the client. Between the client and the server, the device acts as a mediator: requesting a user name from the client, verifying authentication information from the server side, and forwarding it to the client. So, in addition to playing the role of Ieee802.1x's authenticator, the device also acts as a RADIUS client role, so we call the device Network access server (NAS), which is responsible for encapsulating the response received from the client into the radius Formatted message and forwarded to the RADIUS server, and it interprets the information received from the RADIUS server and forwards it to the client.

The device that plays the authenticator role has two types of ports: the controlled port (controlled port) and the unmanaged port (uncontrolled ports). A user connected to a managed port can access network resources only through authentication, while users connected to an unmanaged port have direct access to network resources without authentication. We connect the user to the controlled port, we can control the user, the non-controlled port is mainly used to connect the authentication server, in order to ensure the normal communication between the server and the device.

Authentication Server (Radius)

The authentication server is usually a RADIUS server, which is used in conjunction with the authenticator to provide authentication service for the user. The authentication server holds the user name and password, and the corresponding authorization information, one server can provide authentication service to multiple authentication, so it can realize the centralized management of the user. The authentication server is also responsible for managing accounting data sent from the authenticator.

        NAS as an intermediary, connecting users and servers, just play a similar role of real estate intermediary, communication bridge. First users need to surf the internet, to tell the middleman, I want to surf the internet, similar to the intermediary you said, I want to rent a house, and then the intermediary will run around for you to find listings. At this time, the intermediary need to know your name information, in order to negotiate with the landlord, so the NAS like the user initiated the request, get the name information, the user needs to give their name information to the NAS, and then intermediary contact landlord, landlord said, I need to understand this tenant's personality hobby, whether lazy, will not mess my house, Only through my assessment of the people to consider living in my house. This analogy is easy to understand the following steps, the NAS first contact radius, to radius sent to assess the user request, RADIUS server said, hey, you put that user's password to me, I come to see if it meets my standards, Then the NAS on the RADIUS server to communicate this idea, the user said, you put your information (password) to me, and then the user to give me the password, the NAS to get the user's password, they do not have the right to decide, like the intermediary can not directly determine the ownership of the house, users need to agree with the landlord, At this time the NAS will send the user's password to the server, after the server assessment, if passed, happy to tell the NAS, I decided to rent the house to this little girl, if the landlord and your information did not see eye, can only tell the intermediary, I do not like this sister, I have to wait for a diligent love clean little girl, The intermediary can only accept the message and then inform the tenant.         If you are lucky, you are looking at your eyes with the landlord, then you can consider a new house, just as users can start surfing the Internet, but like you need to rent a house to start paying rent, the user internet also need network fee, this time NAS and intermediary is not much like, Because you rent a house to pay rent not through the intermediary ah, that through who? Yes, the bank, this time you pass the bank card to the landlord to pay the rent, the bank told the landlord, there is a rent to call you, you see you want to (nonsense, of course, ah, not a fool!) And then the landlord gives the bank a reply, and then you start a legitimate rental relationship (very pure).         After you start Money, if one day you break up with your landlord, or you're not satisfied with the house, what do you want to do? Back to rent, right, at this time you have to talk to the bank, I do not continue to live here, so I do not put my bank card binding automatic repayment, and then the bank will check with the landlord this message, said to terminate the binding relationship, the landlord said, yes, the little girl temper not live ah, then the bank is like the user sent EPA Failure, contact binding, just likeUsers prompt the success of the downline, you have to move at a given time, you can not use the room again, just as users can not access the Internet resources again.         The specific process is as follows: 

The process is broken down as follows:

1. The client SU sends an EAP message on a multicast basis to initiate the authentication process.

2. After the switch receives the message, it sends a EAP-REQUEST message response to the client's authentication request, requiring the user to provide the user name information.

3. The client responds to a eap-response message after receiving Eap-request, and the user name is encapsulated in the EAP message to the switch.

4. The switch encapsulates the eap-request message sent by the client with its own switch IP, port and other related information in the RADIUS access-request message to the authentication server.

5. The authentication server is authenticated after receiving the RADIUS access-request message, and if the user's relevant information is valid, a certification challenge (RADIUS Access-challenge) is initiated for the user, requiring the user to provide a password.

6. Once the switch receives this RADIUS access-challenge message, it forwards the challenge request to the client with a Eap-challenge requests.

7. After the client receives the challenge request, the user password is encrypted and encapsulated in the Eap-challenge response returned to the switch.

8. The switch forwards the user's eap-challenge response encapsulated as a RADIUS access-request message to the authentication server.

9. The authentication server verifies the user's password, and if the authentication fails, the server returns a RADIUS access-reject message, denies the user's authentication request, and if the authentication passes, the server sends a RADIUS access-accept message to the switch.

10. After receiving the RADIUS access-accept from the authentication server, the switch will remove the access control to the client and send a eap-success message to the client notifying them that the authentication has been successful.

11. The switch sends a RADIUS accounting-request (Start) message to the authentication server and requests that the user be billed.

12. The authentication server starts accounting after receiving the request, and returns a RADIUS accounting-response message to the switch, informing that the accounting operation has begun.

13. When the user is offline, the client sends a EAPOL-LOGOFF message to the switch and requests to start the downline operation.

14. The switch sends a RADIUS accounting-request (stop) request to the authentication server and requests that the user be stopped for accounting.

15. When the authentication server receives the request, it stops accounting and responds to a RADIUS accounting-response message.

First Knowledge 802.1x