IEEE 802.1X principle and function implementation
- IEEE 802.1X is an IEEE Standard for port-based Network Access Control (“port” means the same physical
connection to the LAN infrastructure). It is part of the IEEE 802.1 group of networking protocols. It provides
an authentication mechanism for devices to connect to a LAN, either establishing a connection or
preventing the connection if authentication fails. IEEE 802.1X prevents what is called “port hi-jacking”;
that is, when an unauthorized computer gets access to a network by getting to a network jack inside or
outside a building. IEEE 802.1X is useful in, for example, network video applications since network cameras
are often located in public spaces where a network jack can pose a security risk. In today’s enterprise
networks, IEEE 802.1X is becoming a basic requirement for anything that is connected to a network.
- Three basic terms in 802.1X.
1. Supplicant -- user, client
2. Authentication server -- RADIUS server
3. Authenticator -- devices. ex: switch.
- The protocol used in 802.1X is Extensible Authentication Protocol encapsulation over LANs (EAPOL).
There are a number of modes of operation, but the most common case would look something like this
(see Figure 1):
1. The authenticator sends an “EAP-Request/Identity” packet to the supplicant as soon as it detects that
the network link is active (e.g., the supplicant, for example a network camera in a network video
system, is connected to the switch).
2. The supplicant sends an “EAP-Response/Identity” packet to the authenticator.
3. The “EAP-Response/Identity” packet is then passed on to the authentication (RADIUS) server by the
authenticator.
4. The authentication server sends back a challenge to the authenticator, such as with a token password
system.
5. The authenticator unpacks this from IP and repackages it into EAPOL and sends it to the supplicant.
Different authentication methods will vary this message and the total number of messages. EAP
supports client-only authentication and strong mutual authentication.
6. The supplicant responds to the challenge by the authenticator.
7. The authenticator passes the response to the challenge onto the authentication server.
8. If the supplicant provides proper identity, the authentication server responds with a success message
to the authenticator.
9. The success message is then passed onto the supplicant by the authenticator. The authenticator now
allows access of the supplicant to the LAN, possibly restricted based on attributes that came back
from the authentication server. For example, the authenticator might switch the supplicant to a
particular virtual LAN or install a set of firewall rules.
沒有留言:
張貼留言