Compare Products
Hide
VS
What is 802.1X? 802.1X authentication, also known as Extensible Authentication Protocol Over Ethernet (EAPOE) authentication, is primarily designed to address the issue of user access authentication in local area networks (LANs).
What is 802.1X?
The IEEE 802 LAN/WAN committee proposed the 802.1X protocol to solve wireless LAN network security issues. Later on, the 802.1X protocol became widely used as a common access control mechanism for LAN interfaces in Ethernet networks, primarily addressing authentication and security concerns within Ethernet networks. 802.1X authentication utilizes a particular authentication method of the RADIUS protocol, following a typical client/server structure involving the endpoint, RADIUS client, and RADIUS server.
Unlike other access control mechanisms, 802.1X protocol achieves user-level access control by controlling the access ports.
In the 802.1X protocol, physical access ports are divided into two logical ports: controlled ports and uncontrolled ports, facilitating the separation of business and authentication. Its ultimate goal is to determine the availability of a user's access port. If the authentication is successful, the port is opened, allowing all client packets to pass through. If the authentication fails, the port remains closed, only allowing EAPOL protocol frames to pass.
Principles of 802.1X Authentication:
802.1X authentication process supports two authentication methods between the device and the RADIUS server: EAP relaying and EAP termination. The following sections explain the working principles of these two authentication methods, using client-initiated authentication as an example.
EAP Relaying Authentication:
During the EAP relaying authentication process, the device acts as a relaying agent to forward the interaction packets between the client and the authentication server through EAPOL encapsulation and de-encapsulation. The entire authentication process involves username authentication followed by password authentication.
1. When a user accesses the network, the 802.1X client program is automatically launched, and the user enters the previously created username and password in the RADIUS server as prompted, initiating the connection request. As the port is initially in an unauthorized state, except for IEEE 802.1X protocol packets, it cannot receive or send any other packets. At this point, the client program sends an authentication request frame (EAPOL-Start) to the device, initiating the authentication process.
2. Upon receiving the client's authentication request frame, the device sends an Identity-type EAP request frame (EAP-Request/Identity), requesting the client program to send the username entered in the previous step.
3. Upon receiving the device's Identity request frame, the client program responds by sending the username information through an Identity-type EAP response frame (EAP-Response/Identity) to the device, fulfilling the device's request.
4. The device encapsulates the EAP message from the client's Identity response frame into a RADIUS message (RADIUS Access-Request) using EAPOL formatting and sends it to the authentication server for processing.
5. Upon receiving the RADIUS message from the device, the RADIUS server extracts the username information and compares it with the username list in the database. It finds the corresponding password information for the username, encrypts the password using a randomly generated MD5 Challenge message, and sends the MD5 Challenge message encapsulated in EAPOL formatting as a RADIUS Access-Challenge message back to the device.
6. The device, upon receiving the EAPOL-formatted Access-Challenge message from the RADIUS server, de-encapsulates it and forwards the MD5 Challenge message to the client.
7. The client, upon receiving the MD5 Challenge message from the device, encrypts the password using the challenge message, generates an EAP-Response/MD5 Challenge frame, and sends it to the device.
8. The device encapsulates the EAP-Response/MD5 Challenge frame into a RADIUS message (RADIUS Access-Request) using EAPOL formatting and sends it to the RADIUS server.
9. The RADIUS server compares the received encrypted password information with the locally encrypted password information from step 5. If they match, the user is considered legitimate, and the RADIUS server sends an authentication success message (RADIUS Access-Accept) to the device.
10. Upon receiving the RADIUS Access-Accept message, the device de-encapsulates it into an EAP-Success frame and sends it to the client, changing the port to an authorized state, allowing user access to the network through the port.
11. During the user's online session, the device periodically sends handshake frames to monitor the user's online status.
12. The client responds to the device by sending an acknowledgment frame upon receiving the handshake frame, indicating that the user is still online. By default, if the device does not receive two consecutive responses from the client, it will force the user offline to prevent situations where the device is unaware of the user going offline due to exceptional circumstances.
13. The client can send an EAPOL-Logoff frame to the device, actively requesting to go offline.
Ruijie Networks websites use cookies to deliver and improve the website experience.
See our cookie policy for further details on how we use cookies and how to change your cookie settings.
Cookie Manager
When you visit any website, the website will store or retrieve the information on your browser. This process is mostly in the form of cookies. Such information may involve your personal information, preferences or equipment, and is mainly used to enable the website to provide services in accordance with your expectations. Such information usually does not directly identify your personal information, but it can provide you with a more personalized network experience. We fully respect your privacy, so you can choose not to allow certain types of cookies. You only need to click on the names of different cookie categories to learn more and change the default settings. However, blocking certain types of cookies may affect your website experience and the services we can provide you.
Through this type of cookie, we can count website visits and traffic sources in order to evaluate and improve the performance of our website. This type of cookie can also help us understand the popularity of the page and the activity of visitors on the site. All information collected by such cookies will be aggregated to ensure the anonymity of the information. If you do not allow such cookies, we will have no way of knowing when you visited our website, and we will not be able to monitor website performance.
This type of cookie is necessary for the normal operation of the website and cannot be turned off in our system. Usually, they are only set for the actions you do, which are equivalent to service requests, such as setting your privacy preferences, logging in, or filling out forms. You can set your browser to block or remind you of such cookies, but certain functions of the website will not be available. Such cookies do not store any personally identifiable information.
Fale conosco
How can we help you?