What is 802.1X? 802.1X authentication, also known as Extensible Authentication Protocol Over Ethernet (EAPOE) authentication, is primarily designed to address the issue of user access authentication in local area networks (LANs).
What is 802.1X?
The IEEE 802 LAN/WAN committee proposed the 802.1X protocol to solve wireless LAN network security issues. Later on, the 802.1X protocol became widely used as a common access control mechanism for LAN interfaces in Ethernet networks, primarily addressing authentication and security concerns within Ethernet networks. 802.1X authentication utilizes a particular authentication method of the RADIUS protocol, following a typical client/server structure involving the endpoint, RADIUS client, and RADIUS server.
Unlike other access control mechanisms, 802.1X protocol achieves user-level access control by controlling the access ports.
In the 802.1X protocol, physical access ports are divided into two logical ports: controlled ports and uncontrolled ports, facilitating the separation of business and authentication. Its ultimate goal is to determine the availability of a user's access port. If the authentication is successful, the port is opened, allowing all client packets to pass through. If the authentication fails, the port remains closed, only allowing EAPOL protocol frames to pass.
Principles of 802.1X Authentication:
802.1X authentication process supports two authentication methods between the device and the RADIUS server: EAP relaying and EAP termination. The following sections explain the working principles of these two authentication methods, using client-initiated authentication as an example.
EAP Relaying Authentication:
During the EAP relaying authentication process, the device acts as a relaying agent to forward the interaction packets between the client and the authentication server through EAPOL encapsulation and de-encapsulation. The entire authentication process involves username authentication followed by password authentication.
1. When a user accesses the network, the 802.1X client program is automatically launched, and the user enters the previously created username and password in the RADIUS server as prompted, initiating the connection request. As the port is initially in an unauthorized state, except for IEEE 802.1X protocol packets, it cannot receive or send any other packets. At this point, the client program sends an authentication request frame (EAPOL-Start) to the device, initiating the authentication process.
2. Upon receiving the client's authentication request frame, the device sends an Identity-type EAP request frame (EAP-Request/Identity), requesting the client program to send the username entered in the previous step.
3. Upon receiving the device's Identity request frame, the client program responds by sending the username information through an Identity-type EAP response frame (EAP-Response/Identity) to the device, fulfilling the device's request.
4. The device encapsulates the EAP message from the client's Identity response frame into a RADIUS message (RADIUS Access-Request) using EAPOL formatting and sends it to the authentication server for processing.
5. Upon receiving the RADIUS message from the device, the RADIUS server extracts the username information and compares it with the username list in the database. It finds the corresponding password information for the username, encrypts the password using a randomly generated MD5 Challenge message, and sends the MD5 Challenge message encapsulated in EAPOL formatting as a RADIUS Access-Challenge message back to the device.
6. The device, upon receiving the EAPOL-formatted Access-Challenge message from the RADIUS server, de-encapsulates it and forwards the MD5 Challenge message to the client.
7. The client, upon receiving the MD5 Challenge message from the device, encrypts the password using the challenge message, generates an EAP-Response/MD5 Challenge frame, and sends it to the device.
8. The device encapsulates the EAP-Response/MD5 Challenge frame into a RADIUS message (RADIUS Access-Request) using EAPOL formatting and sends it to the RADIUS server.
9. The RADIUS server compares the received encrypted password information with the locally encrypted password information from step 5. If they match, the user is considered legitimate, and the RADIUS server sends an authentication success message (RADIUS Access-Accept) to the device.
10. Upon receiving the RADIUS Access-Accept message, the device de-encapsulates it into an EAP-Success frame and sends it to the client, changing the port to an authorized state, allowing user access to the network through the port.
11. During the user's online session, the device periodically sends handshake frames to monitor the user's online status.
12. The client responds to the device by sending an acknowledgment frame upon receiving the handshake frame, indicating that the user is still online. By default, if the device does not receive two consecutive responses from the client, it will force the user offline to prevent situations where the device is unaware of the user going offline due to exceptional circumstances.
13. The client can send an EAPOL-Logoff frame to the device, actively requesting to go offline.
- Featured FAQ
- Everything About Switch Stack and How to Configure It
- What is RSSI Level Meaning and its Real-World Implications
- What are the Most Common DHCP Options & their Functions?
- What is a VPN Router and Why Use It
- How to Set Up a Guest Wi-Fi | Basics and Generic Methods
- What Does a DHCP Server Do: An Overview of DHCP
- What Are SFP Ports Used For: Everything You Should Know
- What is MU-MIMO and How Does it Work in Wi-Fi Networks?
- What is Open Flow Protocol Networking and How it Works?
- What is load balancing in networking and why we should make full use of it?
