Source: http://wenwen.soso.com/z/q166758313.htm? PID = Wenwen. autologin
AAA uses the port-based network access control protocol (Port-based network access control protocol ).
Control Protocol ).
He is authenticated through eapol message interaction.
802.1x authentication has three important roles: requester, authenticator, and authentication server.
1. The client su sends an EAP packet to initiate authentication (the standard protocol multicast address is 01-80-c2-00-00-03 ).
2. After receiving the message, the switch sends an EAP-request message to respond to the authentication request from the client and asks the user to provide the user name information.
3. After receiving the EAP-request, the client responds to an EAP-Response Message and encapsulates the user name in the EAP message and sends it to the switch.
4. The switch encapsulates the EAP-request message sent from the client in the radius access-Request Packet together with the IP address and port of the switch and sends it to the authentication server.
5. the authentication server receives the radius access-request message for verification. If the user's information is valid, the server initiates a authentication Challenge (radius access-Challenge) for the user and requires the user to provide the password.
6. After receiving the radius access-challenge packet, the switch forwards the challenge request to the client using an EAP-challenge request.
7. After receiving the challenge request, the client encrypts the user password and encapsulates it in EAP-challenge response and returns it to the switch.
8. The switch encapsulates the user's EAP-challenge response as a radius access-request packet and forwards it to the authentication server.
9. the authentication server verifies the user's password. If the verification fails, the server returns a radiusaccess-reject message to reject the user's authentication request. If the verification succeeds, the server sends a radius access-accept packet to the vswitch.
10. After receiving the radius access-accept from the authentication server, the switch uncontrols the access to the client and sends an EAP-success message to the client to notify the client that the authentication is successful.