The IEEE802 LAN/WAN committee proposed the 802.1X protocol to solve the problem of wireless LAN network security. Later, the 802.1X protocol, which is a common access control mechanism for LAN ports, is widely used in Ethernet, mainly to solve the problems of authentication and security in Ethernet.
The 802.1x protocol is based on the Client/Server access control and authentication protocol. It can restrict unauthorized users/devices from accessing LAN/WLAN through an access port. 802.1x authenticates users/devices connected to the switch port before obtaining the various services provided by the switch or LAN. Before the authentication is passed, 802.1x only allows EAPOL (LAN-based Extended Authentication Protocol) data to pass through the switch port to which the device is connected; after authentication is passed, normal data can successfully pass through the Ethernet port.
An 802.1X system is a typical Client/Server structure. It consists of three entities: the client, the device, and the server.
The client is an entity located at one end of the LAN segment and is authenticated by the device at the other end of the link. The client is generally a user terminal device, and the user can initiate 802.1X authentication by starting the client software. The client must support EAPOL (Extensible Authentication Protocol over LAN).
The device is another entity located at one end of the LAN segment and authenticates the connected client. The device is usually a network device that supports the 802.1X protocol. It provides the client with a port for accessing the LAN. The port can be either a physical port or a logical port.
An authentication server is an entity that provides authentication services for the device side. The authentication server is used to authenticate, authorize, and charge users. It is usually a RADIUS (Remote Authentication Dial-In User Service) server.
- Open the 802.1X client program when the user has Internet access, enter the user name and password that have been applied for and registered, and initiate a connection request. At this point, the client program will send a message requesting authentication to the switch and start an authentication process.
- After the switch receives the data frame requesting authentication, it will issue a request frame requesting the user’s client program to send the entered user name.
- The client program responds to the request from the switch and sends the username information to the switch through the data frame. The switch sends the data frame sent by the client to the authentication server for processing.
- After receiving the username information forwarded by the switch, the authentication server compares the information with the username table in the database, finds the password information corresponding to the username, and encrypts it with a randomly generated encryption word. At the same time, the encrypted word is also transmitted to the switch, which is transmitted to the client program by the switch.
- After the client program receiving the encrypted word from the switch,it encrypts the password part with the encrypted word (this encryption algorithm is usually irreversible) and transmits it to the authentication server through the switch.
- The authentication server will compare the encrypted password information sent to it with its own encrypted password information. If it is the same, the user is considered to be a legitimate user.it will give feedback to the authenticated message, And issuing an instruction to open the port to the switch, allowing the user’s service flow to access the network through the port.
The device side provides the client with a port for accessing the LAN. This port is divided into two logical ports: a controlled port and an uncontrolled port. Any frame arriving at this port is visible on both the controlled and uncontrolled ports.
The uncontrolled port is always in the bidirectional state. It is mainly used to transmit EAPOL protocol frames to ensure that the client can always send or receive authentication packets.
The controlled port is in bidirectional connectivity under the authorization state ,and is used to transmit service packets. In the unauthorized state, it is forbidden to receive any packets from the client.
The device uses the authentication server to perform authentication on the client that needs to access the local area network, and controls the authorized/unauthorized status of the controlled port according to the authentication result (Accept or Reject).
The figure shows the effect of different authorization states on the controlled port on packets passing the port.The figure compares the port status of two 802.1X authentication systems. The figure compares the port status of two 802.1X authentication systems.
The user can control the authorization status of the port through the mode of access control configured under the port. The port supports the following three access control modes:
Authorized-force mode: Indicates that the port is always in the authorized state, allowing users to access network resources without authentication and authorization.
Forced unauthorized mode (unauthorized-force): indicates that the port is always in an unauthorized state and does not allow users to perform authentication. The device does not provide authentication services for clients accessing the port.
Auto-recognition mode (auto): Indicates that the port is in an unauthorized state. Only the EAPOL packets are allowed to be sent and received. The user is not allowed to access network resources. If the authentication succeeds, the port is switched to the authorized state to allow users to access network resources. This is also the most common situation.
In the 802.1x protocol, security issues have been the focus of 802.1x opponent attacks. In fact, this problem has indeed plagued 802.1x technology for a long time, and even limited the application of 802.1x technology. In the 802.1x protocol, security issues have been the focus of 802.1x opponent attacks. In fact, this problem has indeed plagued 802.1x technology for a long time, and even limited the application of 802.1x technology.
For more articles you can follow us on: