This article mainly introduces EAPOL, the detailed definition of it can be 802.1x-2004/ieee Std 802.1x-2010 Two documents inside the query. The core content of the two documents is much the same, only the 2010 version of the definition of more detailed, but also more difficult to understand, it is recommended to understand the 2004 version, it will be easier to read. Because the 2010 version introduced more nouns, added more references, more detailed description of the consistency, so that the standard can be applied to more encryption occasions, to supplement the 2004 version of the defect.
Two standard of the first 5 chapters of the difference, we can not go too far, they mainly include the definition of 802.1x, noun interpretation, scope of application, reference documents, consistency description and other content to carry out the introduction, if in the back of the reading encountered obstacles, back to the pages, for the first 5 chapters, we just need to know:
The 802.1X protocol is a port-based network access Control Protocol (based port). "Port-based network access control" refers to the port of the LAN access device at the level of access to the user device authentication and control. A user device connected to a port can access resources on the local area network if authenticated, and cannot access resources on the local area network-equivalent to a physical connection being disconnected.
If you read the previous article, you should understand that EAPOL is used for EAP services in a local area network, and it is primarily used to load EAP packets to complete the 802.1X authentication process. EAPOL also works in the LLC layer, which is understood mainly from Chapter 6.
Comparison of the sixth chapter
Port-based network control allows network administrators to limit the use of service access points (ports) in wireless LANs to achieve and authenticate and authorize systems for secure communication purposes.
Here are some of the core concepts of 802.1x
1. Port PAE (Port access entity)
Port PAE is an entity object that performs algorithm and protocol operations on a given device port in a 802.1x system. The device-side PAE uses the authentication server to perform authentication on the client that needs to access the LAN, and to control the authorized/unauthorized status of the controlled port accordingly according to the authentication result. The client PAE is responsible for responding to the authentication request on the device side and submitting the user's authentication information to the device side. Client PAE can also proactively send authentication requests and downline requests to the device side.
2. Controlled ports and uncontrolled ports
The device side provides a port for the client to access the local area network, which is divided into two logical ports: controlled ports and uncontrolled ports.
The non-controlled port is always in bidirectional connectivity and is used primarily to pass EAPOL protocol frames to ensure that the client is always able to send or receive authentication messages.
The controlled port is in a two-way connected state in the authorization state, which is used to transmit the business message, and it is forbidden to receive any message from the client in the unauthorized state.
The controlled and uncontrolled ports are two parts of the same port, and any frames that reach the ports are visible on both the controlled and non-controlled ports.
3. Controlled direction
In a non-authoritative state, the controlled port can be set to one-way controlled and two-way controlled.
L prohibit the sending and receiving of frames when two-way controlled;
When a one-way control is applied, frames are not received from the client, but frames are allowed to be sent to the client.
For the two versions of the 802.1X protocol, the main difference in Chapter 6th is
| The MAC Security Entity (secy) specified in IEEE Std 802.1AE
| Link Aggregation as specified in IEEE Std 802.1AX (6.5)
| IEEE STD 802.11 (6.6)
| IEEE Std 802.1AR (5.7, 8.11.2)
In 802.1x-2010, there are several more underlying cryptographic descriptions, including the IEEE Std 802.1AE for Mac Layer encryption, IEEE STD 802.1AX for link aggregation, and IEEE Std 802.11 (6.6) Link-layer media-based communications, IEEE STD 802.1AR is used for identification of device identifiers. Query the relevant documents to know that these more low-level security protocols were developed after 2004, so in the 802.1x-2010 version of the agreement to include these protocols, below to compare the 2004 version and the 2010 version of the 802.1X workflow:
The comparison between the two graphs, obviously the above one is straightforward, because it only describes the second image of the red line above the content, that is only described to the LLC layer of encryption, for Mac, media and hardware logo are not described. Actually figure out the 2004 version of the content, and then see the 2010 version of the content will be much simpler, about the LLC of the encryption is not described here, at least in my contact with the product or Hostap code is not related to the content, as long as I know there is such a thing, It would be nice to refer to the relevant documentation when you encounter them. In fact, I checked, in the latest HOSTAPD code, the IEEE Std 802.1AE is added to the HOSTAPD code in 2014-3, that is, in the latest HOSTAPD code has actually supported 802.1x-2010.
Second, the seventh chapter compares
The seventh chapter of 802.1X-2004 describes the encapsulation of the EAPOL message, but 802.1x-2010 seventh describes the application of PAC, it will EAPOL PDUs to the 11th chapter to describe, the following picture is one of the applications, you can see, In the new version of the Vlan,bridge, MAC Secy and other descriptions, from the hardware layer to the LLC layer, each layer has a corresponding security standards, it seems perfect, but in reality it is difficult to apply.
However, the most we are still using the 802.1x-2004 version, mature and stable. Here's a look at the encapsulation of EAPOL frames in 802.1x-2004 seventh.
1. Format of the EAPOL packet
The EAPOL is a message encapsulation format defined by the 802.1X protocol, which is primarily used to transmit EAP protocol messages between the client and the device side to allow the EAP protocol messages to be transmitted over the LAN. As shown in Format 3.
Figure 3 EAPOL Packet format
PAE Ethernet Type: Represents the protocol type, which is 0x888e.
Protocol version: Represents the number of protocol versions supported by the sender of the EAPOL frame.
Type:
L Eap-packet (value 0x00), authentication information frame, for carrying authentication information;
L Eapol-start (value 0x01), authentication initiation frame;
L Eapol-logoff (value is 0x02), exit request frame;
L Eapol-key (value is 0x03), key information frame;
L Eapol-encapsulated-asf-alert (value 0x04), used to support ASF (Alert standard Forum) alerting messages.
Length: Indicates data length, that is, "Packet Body" field, in bytes. If 0, no subsequent data fields are represented.
Packet Body: Different formats depending on the type.
where Eapol-start,eapol-logoff and Eapol-key exist only between the client and the device side, and between the device side and the authentication server, the Eap-packet message is repackaged on the RADIUS protocol to reach the authentication server across the complex network Eapol-encapsulated-asf-alert Package and network management information, such as various warning information, by the end of the device.
2. Format of EAP Packets
When the EAPOL packet format Type field is Eap-packet, the Packet body is the EAP packet structure, shown in 4.
Figure 4 EAP Packet format
Code: Indicates the type of EAP packet, a total of 4 kinds: request,response,success,failure.
Identifier: Assists in matching request and response messages.
The length of the LENGTH:EAP package, containing the entire contents of code, Identifier, length, and data, in bytes.
Data: determined by code.
Success and failure types of packages do not have a data domain, and the corresponding length field has a value of 4. The data domain of the request and response type packets is shown in format 1-5.
Figure 5 Format of data fields for request and response type packets
Type: Indicates the type of authentication for EAP. Where the value is 1 o'clock, which represents identity, which is used to query each other's identities; the value is 4 o'clock, which represents md5-challenge, similar to the PPP CHAP protocol, which contains a challenge message.
Encapsulation of EAP attributes
Radius adds two attributes to support EAP authentication: Eap-message (EAP message) and Message-authenticator (message authentication code). The message format for the RADIUS protocol is described in the RADIUS Protocol Introduction section of the AAA radius hwtacacs configuration in the security fascicle.
1. Eap-message
This property is used to encapsulate the EAP packet, 6, the type code of the 79,string domain up to 253 bytes, if the EAP packet length is greater than 253 bytes, it can be fragmented, encapsulated in a number of eap-message properties.
Figure 6 Eap-message Property Encapsulation
2. Message-authenticator
This property is used in the process of using authentication methods such as EAP to avoid eavesdropping on access request packets. In a packet containing the Eap-message attribute, it must also contain message-authenticator, otherwise the packet is considered invalid and discarded. As shown in format 7, the type code is 80 and the length is 18 bytes.
Figure 7 Message-authenticator Properties
Third, the eighth chapter contrast
The eighth chapter of the two documents is mainly about implementation, and the following is a comparison of the interfaces between EAPOL and EAP interactions
The difference does not need to elaborate, in fact, EAPOL and EAP interface both are similar, but the latter did a better package and collation, that several interactive variables can refer to the previous article to understand, for a standard implementation, we are more concerned about their state machine changes, in IS, The 802.1X-2004 specification defines 5 different state machines for the EAPOL supplicant, respectively, as follows:
· Port Timers Sm:port Timeout control state machine.
· supplicant PAE SM:PAE is the abbreviation for Port Access entitiy. This state machine is used to maintain port status.
· supplicant backend SM: The specification does not express the function of the state machine. But I think it is mainly used to send EAPOL reply message to authenticator.
· The key Receiver SM: A state machine used to process Key (referred to as Eapol-key frames) related processes.
· The supplicant Key transmit SM: This state machine is not a required option, so Wpas does not implement it.
1) In addition to the five state machines included in the Supp, the specification defines four state machines for authenticator.
Authenticator also needs to implement Port timers SM and the Key Receiver SM.
2) These state machines are collectively referred to as PACP (Port Access Control Protocol) in the specification.
1. Global variables
The interaction between multiple state machines uses a global variable, which is just a part of it, as described in 802.1x-2004 8.2.2.2
2.SUPP PACP State Machine
(1) Port timers SM
The function of PT SM is simple, which is to trigger once every second to enter the tick state from the One_second state. In the tick state of the EA, it decrements the value of some variables. Note that in 2010 there is a picture divided into supplicant and authenticator, which are merged together, some of which are used in two paragraphs, but some are only used by the Auth side.
(2) The Key Receiver SM
· TKR SM consists of two states. The first one is the no_key_receive state. When Rxkey (boolean variable, when supplicant receives the EAPOL key frame, the value is true), TKR enters
Key_receive status.
· TKR needs to call the Processkey function to process the EAPOL key message in the Key_receive state.
(3) PAE SM
Txstart: Used to send eapol-start messages to authenticator.
Txlogoff: Used to send eapol-logoff messages to authenticator.
(4) Backend SM
Abortsupp: Stop the certification work and release the relevant resources.
Getsuppresp: This function is intended to obtain the EAP response information, and then send it with the TXSUPPRESP function. In Wpas, however, the function does not include any material that is meaningful.
TXSUPPRESP: Send Eapol-packet package to authenticator.
Summarize:
This article is relatively shallow, mainly from the network summary and some of their own ideas. In fact, EAPOL difficult content is not much, the key is more detailed, more cumbersome, master the content of the previous article and then see this part just take the document, did not spend so much space to introduce this piece of content, after all, EAPOL in HOSTAPD is mainly used to load EAP packets, For the development of the application layer, it will involve less. If you want to learn more about children's shoes, you can read the standard documentation in detail.
HOSTAPD wpa_supplicant Madwifi Detailed analysis (13)--eapol (802.1x-2004/ieee Std 802.1x-2010)