Talking about 802.1X Certification

First, origin

The 802.1X protocol originates from the 802.11 protocol, the latter being the standard Wireless LAN protocol. The main purpose of the 802.1X protocol is to solve the problem of access authentication for LAN users, which has now been applied to the general wired LAN access. Before the advent of 802.1X, the enterprise network wired LAN application did not have a direct control to the port method, and did not need to control the port. However, with the application of wireless LAN and the large-scale development of LAN access to telecom network, it is necessary to control the ports to achieve user-level access control. 802.1X is a standard that is defined by the IEEE to address Port-based access control.

Second, the role

1.802.1X is an authentication protocol and a method and strategy for authenticating users.

2.802.1X is a port-based authentication policy (can be a physical port or a VLAN-like logical port, as opposed to a wireless LAN "Port" is a channel)

The ultimate goal of 3.802.1X certification is to determine if a port is available. For a port, if the authentication is successful, "open" this port, allow all messages to pass, if the authentication is not successful to keep the port "off", at this time only allow 802.1X authentication message EAPOL (extensible authentiaction Protocol over LAN) through.

Third, the system

The 802.1X certification system is divided into three parts:

Suppliant System Client (PC/network device):

The client is a device that needs to access the LAN and enjoys switch service, the client needs to support the EAPOL protocol, and the client must run the 802.1X client software.

Authentiactor System Authentication Systems:

Switch (edge switch or wireless access device) is a device that controls physical access based on the customer's authentication status, and switch acts as a proxy role between the client and the authentication server. Switch and client communicate through the EAPOL protocol, Swith and authentication server through Eapor (EAP over Radius) s or EAP hosted on other high-level protocols, in order to traverse the complex network to reach the authentication server Switch requires the client to provide the identity, after receiving the EAP message in the RADIUS format of the message, and then sent to the authentication server, return equivalent; switch controls whether the port is available based on the authentication result. (The 802.1X protocol is terminated within the device and converted into a standard RADIUS protocol message, the encryption algorithm uses PPP and CHAP authentication algorithm, all the authentication billing server supporting PPP CHAP authentication algorithm can be successfully docking with us)

Authentiaction Server System Authentication servers:

The authentication server authenticates the customer, and the authentication server verifies the customer's identity, notifying switch whether the client is allowed to access the services provided by the LAN and the switch. The authentication server accepts the authentication requirement which is passed by the client, and the authentication result is sent to the client after the authentication is completed, and the port management is completed. Because of the flexibility of the EAP protocol, in addition to the port States defined by IEEE802.1X, authentication servers can actually be used to authenticate and distribute more user-related information such as VLANs, QOS, cryptographic authentication keys, DHCP responses, and so on.

Four, authentication port

unmanaged port: can be regarded as EAP port, do not carry out authentication control, always in two-way connection state, mainly used to pass the EAPOL protocol frame before passing authentication, ensure the client can always send or receive authentication message.

Managed Port: before passing authentication, only the authentication message EAPOL message and broadcast message (DHCP, ARP) pass through the port, and no other business data is allowed to flow through. After the authentication is in two-way connected state, can carry on the normal business message transmission.

logical controlled port: A physical port is common to multiple clients, and when a client does not pass authentication, only the authentication message is allowed through the physical port, the business data is not allowed, but the other authenticated client business is not affected.

There are three cases in use now:

1. Only one user of the same physical port is authenticated (only one user is authenticated, and other users ' authentication requests are ignored during authentication), and other users can access the network service after authentication.

2. Separate authentication control for multiple users of the same physical port, limit the number of simultaneous users of the same physical port (limit number of MAC addresses), but do not specify MAC address, let the system based on first-come first-served MAC address learning, the system will reject the limit number of requests, if a user exits, You can overwrite the MAC address that has exited.

3. VLAN authentication control for users with different physical ports, that is, access only to the specified VLAN, restrict access to the unauthorized VLAN, the user can access the specified VLAN using the controlled port, and the same user can access the same VLAN on different ports.

V. Trigger mode and authentication method

The 802.1X certification process can be initiated by the client, or it can be initiated by the device side actively. In "Client initiated", the client proactively sends Eapol-start messages to the device side to trigger authentication. The "Device-side initiative" is used to support clients that cannot actively send eapol-start messages. There are two specific triggering methods in "device Active triggering":

1.DHCP Message triggering : The device actively triggers 802.1x authentication to the user after receiving the user's DHCP request message, only for cases where the client automatically assigns IP in DHCP mode.

2. Source mac unknown message trigger: When the device receives a message with unknown source MAC address, it actively triggers 802.1x authentication to the user. If the device does not receive a response from the client within the set length of time, the message is re-sent.

Regardless of the triggering method, the 802.1X authentication system uses the EAP protocol to Exchange authentication information between the client, the device side, and the authentication server. The EAP packets are encapsulated in an Ethernet-based EAPOL format between the client and the device side, and then are hosted in the network data frame for interaction, and the EAP messages between the device side and the RADIUS server can be interacted in the following two ways:

1.EAP Relay: when the EAP message from the client arrives at the device end, it is encapsulated in the RADIUS packet directly using the Eapor format, and then sent to the RADIUS server, the RADIUS server obtains the client authentication information from the encapsulated EAP message. The client is then authenticated. The advantage of this authentication method is that the device-side work is very simple, do not need to do any processing from the client's EAP message, only need to use Eapor to encapsulate the EAP message, regardless of the client authentication information. At the same time, in this authentication mode, the device side and the RADIUS server support a variety of EAP authentication methods, but the server side also support the corresponding authentication method.

2.EAP Termination: The message from the client's EAP is terminated on the device side, and the client authentication information extracted from the EAP message is then encapsulated in the standard radius ( no longer the Eapor format ) by the device side. The client is authenticated with either PAP or chap between the Raidus server (the user name and password information of the legitimate user must be configured on the RADIUS server side, of course). The advantage of this authentication method is that the current RADIUS server can basically support PAP and CHAP authentication, no need to upgrade the server, but the device side of the workload is heavy, because in this authentication method, the device side not only from the client's EAP messages to extract the client authentication information, This information is also encapsulated through the standard RADIUS protocol and does not support EAP authentication methods other than Md5-challenge.

Six, the certification process

EAP Relay Authentication principle

In the process of EAP relay authentication, the device has the role of a relay agent that forwards the interaction between the client and the authentication server through the Eapor encapsulation and encapsulation process. The entire certification process is the first user name authentication, and then the corresponding password authentication. ：

1. When the user accesses the network automatically opens the 802.1X client program, prompts the user to enter already created in the RADIUS server user name and the password, sends the connection request. Because the port's initial state is an unauthorized state, the port cannot receive and send any packets outside of the IEEE 802.1x protocol package at this point in time. At this point, the client program sends the authentication request frame (Eapor-start) to the device side to initiate the authentication process.

2. The device side will issue an identity (identity) type of EAP request frame (eap-request/identity) after receiving the client's authentication request frame, requiring the user's client to send the user name entered by the user in the previous step.

3. After receiving the identity request frame on the device side, the client program sends the user name information to the device side via an identity-type EAP response frame (eap-response/identity) to respond to requests made by the device side.

4. The device side sends the EAP message in the identity response frame sent by the client intact to the radius (radius access-request) in the Eapor format, which is sent to the authentication server for processing.

After the 5.RADIUS server receives the RADIUS packet from the device and extracts the user name information from it, the information is compared with the list of user names in the database, the password information corresponding to the user name is found, and the password is encrypted with a randomly generated MD5 challenge information. The Md5-challenge message is then encapsulated in the Eapor format with the RADIUS access-challenge messages sent to the device side.

6. After receiving the Access-challenge message from the RADIUS server in the Eapor format, the device side forwards the MD5 challenge message to the client by unpacking it.

7. After receiving the MD5 Challenge message from the device, the client encrypts the cipher part with the challenge message, then generates the EAP-RESPONSE/MD5 Challenge message and sends it to the device side.

8. The device side also sends this EAP-RESPONSE/MD5 challenge message to the RADIUS server in a Eapor format encapsulated in the RADIUS message (radius access-request).

9.RADIUS server will receive the encrypted password information after the 5th step in the local encryption operation after the password information to compare, if the same is considered legitimate users, and sent to the device side authentication through the message (RADIUS access-accept).

10. After the device receives the RADIUS access-accept message, it is encapsulated by Eapor and then eap-success the message to the client, and the port is changed to the authorization state, allowing the user to access the network through the port.

11. During the user's online period, the device side will monitor the user's online situation by sending the handshake message to the client periodically.

12. The client sends a reply message to the device after receiving the handshake message, indicating that the user is still online. By default, if the two handshake request messages sent by the device are not answered by the client, the device side will let the user off the line, preventing the user from getting offline due to abnormal reasons and the device cannot perceive.

13. The client can send the Eapol-logoff frame to the device side, actively request the downline.

14. After receiving the Eapol-logoff frame sent by the client on the device side, the port state is changed from the authorization state to the unauthorized state, and the client sends the EAP-FAILURE message to confirm the corresponding client's downline.

EAP Termination authentication method

The main difference between the EAP termination method and the EAP relay authentication process is that the MD5 challenge used to encrypt the user's password information in step 4 is generated by the device side (rather than by the RADIUS server), and then the device side puts the user name, MD5 Challenge and the client encrypted password information together sent to the RADIUS server for authentication processing, the specific process is as follows.

Mac Bypass Authentication

In the 802.1X certification process, the device will first trigger the user to adopt the 802.1X authentication method, but if the user does not perform 802.1x authentication for a long time, then the MAC address is sent to the authentication server as the user name and password. Mac Bypass authentication enables 802.1x authentication systems to install and use 802.1X client software terminals, such as printers, to authenticate with their MAC addresses as usernames and passwords.

Talking about 802.1X Certification