802.1X Authentication
Overview
To resolve wireless local area network (LAN) security issues, the Institute of Electrical and Electronics Engineers (IEEE) 802 LAN/wide area network (WAN) committee developed the 802.1X protocol. Later, the 802.1X protocol was widely applied as a common access control mechanism on LAN interfaces for authentication and security on Ethernet networks.
The 802.1X protocol is an interface-based network access control protocol. It controls users' access to network resources by authenticating the users on access interfaces.
As shown in Figure 1, an 802.1X system uses a standard client/server architecture with three components: client, access device, and authentication server.
- Client: an entity on the LAN segment, which is authenticated by the access device on the same LAN segment. The client is usually a user terminal. The user triggers 802.1X authentication using client software. The client must support Extensible Authentication Protocol over LAN (EAPoL).
- Access device: an entity on the LAN segment, which authenticates the connected client. The access device is usually a network device that supports the 802.1X protocol. The device provides an interface for the client to access the LAN.
- Authentication server: an entity that provides the authentication service for the access device. The authentication server, which is usually a RADIUS server, carries out authentication, authorization, and accounting on users.
Authentication Triggering Modes
- Triggered by the client: A user starts the client and enters the user name and password. The client then sends an EAP packet to the access device to trigger authentication.
- Triggered by the access device: When receiving a DHCP/ARP packet from a user terminal, the access device proactively enables the user terminal to display the client page and prompt the user to enter the user name and password. After the user name and password are entered, the authentication is started.
Authentication Modes
- The EAP packets transmitted between the client and access device are encapsulated in EAPoL format and transmitted across the LAN.
- The access device and authentication server (for example, a RADIUS server) exchange EAP packets in the following modes:
- EAP relay: The access device relays EAP packets. The device encapsulates EAP packets in EAP over RADIUS (EAPoR) format and sends the packets to the RADIUS server for authentication. This authentication mode simplifies device processing and supports various EAP authentication methods, such as MD5-Challenge, EAP-TLS, and PEAP. However, the RADIUS server is required to support corresponding authentication methods.
- EAP termination: The access device terminates EAP packets. The device encapsulates client authentication information into standard RADIUS packets, which are then authenticated by the server using the Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP). This authentication mode is applicable since mainstream RADIUS servers support PAP and CHAP authentication and server update is unnecessary. However, device processing is complex, and the device supports only the MD5-Challenge EAP authentication method.
The device supports the following EAP protocols: EAP-TLS, EAP-TTLS, EAP-PAP, EAP-CHAP (EAP-MD5), and EAP-PEAP.
Authentication Process
Figure 2 shows the 802.1X authentication process in EAP relay mode.
When a user needs to access an external network, the user starts the 802.1X client program, enters the applied and registered user name and password, and initiates a connection request. At this time, the client sends an authentication request packet to the device to start the authentication process.
After receiving the authentication request packet, the device sends a user name request packet, requesting the client to send the previously entered user name.
In response to the request sent by the device, the client sends the user name to the device.
The device sends the user name to the authentication server for processing.
After receiving the user name forwarded by the device, the authentication server verifies the user password.
- The authentication server uses the user name to search the user name list in the database to find the corresponding user password.
- The authentication server encrypts the password with a randomly generated MD5 challenge, and sends the MD5 challenge to the client through the access device.
- After receiving the MD5 challenge from the device, the client encrypts the password with the MD5 challenge and sends the encrypted password to the authentication server through the access device.
- The authentication server compares the encrypted password received and the locally encrypted password. If the two passwords are the same, the user is considered authorized; if they are different, the user is considered unauthorized.
After the password verification succeeds, the authentication server sends an authentication success packet to the access device.
After receiving the authentication success packet, the device sends a packet indicating that the authentication is successful to the client, changes the interface status to authorized, and allows the user to access the network through the interface.
If the user wants to go offline, the client sends a logoff packet to the device.
The access device changes the interface status from authorized to unauthorized. It sends an authentication failure packet to the client and concurrently deletes the user login information.
Steps 4 and 5 are different in the authentication processes in EAP termination and relay modes. In EAP termination mode, when sending the user name from the client to the authentication server, the access device randomly generates an MD5 challenge to the client. (In this mode, the MD5 challenge is not generated by the authentication server.) The access device then sends the user name, MD5 challenge, and encrypted password to the authentication server for processing.