2015年6月9日 星期二

IEEE 802.1X principle and function implementation



  • IEEE 802.1X is an IEEE Standard for port-based Network Access Control (“port” means the same physical connection to the LAN infrastructure). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism for devices to connect to a LAN, either establishing a connection or preventing the connection if authentication fails. IEEE 802.1X prevents what is called “port hi-jacking”; that is, when an unauthorized computer gets access to a network by getting to a network jack inside or outside a building. IEEE 802.1X is useful in, for example, network video applications since network cameras are often located in public spaces where a network jack can pose a security risk. In today’s enterprise networks, IEEE 802.1X is becoming a basic requirement for anything that is connected to a network.

  • Three basic terms in 802.1X.
    1. Supplicant -- user, client
    2. Authentication server  -- RADIUS server
    3. Authenticator -- devices. ex: switch.


  • The protocol used in 802.1X is Extensible Authentication Protocol encapsulation over LANs (EAPOL). There are a number of modes of operation, but the most common case would look something like this (see Figure 1):

    1. The authenticator sends an “EAP-Request/Identity” packet to the supplicant as soon as it detects that the network link is active (e.g., the supplicant, for example a network camera in a network video system, is connected to the switch).
    2. The supplicant sends an “EAP-Response/Identity” packet to the authenticator.
    3. The “EAP-Response/Identity” packet is then passed on to the authentication (RADIUS) server by the authenticator.
    4. The authentication server sends back a challenge to the authenticator, such as with a token password system.
    5. The authenticator unpacks this from IP and repackages it into EAPOL and sends it to the supplicant. Different authentication methods will vary this message and the total number of messages. EAP supports client-only authentication and strong mutual authentication.
    6. The supplicant responds to the challenge by the authenticator.
    7. The authenticator passes the response to the challenge onto the authentication server.
    8. If the supplicant provides proper identity, the authentication server responds with a success message to the authenticator.
    9. The success message is then passed onto the supplicant by the authenticator. The authenticator now allows access of the supplicant to the LAN, possibly restricted based on attributes that came back from the authentication server. For example, the authenticator might switch the supplicant to a particular virtual LAN or install a set of firewall rules.