Detailed explanation of 802.1x protocol, working principle/authentication process of 802 protocol, MAB authentication, EAP message format

News 2023-10-27 17:15:23 views: null

"Author's homepage": Shibie Sanri wyx
"About the author": CSDN top100, Alibaba Cloud blog expert, Huawei Cloud Sharing expert, high-quality creator in the field of network security
"Recommended column": Friends who are interested in network security can follow the column "Network Security Beginner to Master"

802.1x protocol

In the previous IEEE802LAN protocol, as long as the user can "access the LAN" , he can "access" the resources in the LAN. For example, if I plug a network cable into the switch, I can access the network. This is a " security risk" .

In order to solve the security problem, the 802.1x protocol emerged.

1. What is the 802.1x protocol?

The 802.1x protocol is a port-based "access control and authentication protocol" that works at the data link layer and is used to restrict unauthorized users/devices from accessing LAN/WLAN through access ports.
In this way, if I directly plug the network cable into the switch, I will not be able to access the network, but must be authenticated/authorized first.

The 802.1x protocol divides each physical access port into two "logical ports" , which are controllable and uncontrollable , thereby achieving the separation of business and authentication.

  • The "uncontrollable port" is always in a two-way connectivity state and only receives EAP messages, ensuring that the client can send/receive "authentication messages" . Control the authorization status of controllable ports through authentication results (Accept/Reject).
  • The "controllable port" does not receive any messages by default. It can only be used to transmit "business messages" after the authentication is passed .

2. 802.1x architecture

The 802.1x protocol adopts a C/S architecture and consists of three parts : "client" , "access device" , and "authentication server" .

Insert image description here

  • "Client" (Supplicant System): User terminal equipment, installs 802.1x client, and initiates 802.1x authentication.
  • " Network Access System": Network equipment such as switches, which provide ports (physical ports/logical ports) for clients to access the network.
  • "Authentication Server System": radius server, which saves the user's authentication information and authenticates the user.

Extensions:

  • The authentication system (Authenticator System) is also called NAS (Network Access System). For ease of understanding, access devices are used instead in this article.

3. Trigger authentication

When users access the Internet, they open the 802.1x client and enter their username and password for authentication. Only those who pass the authentication can access the network, and those who fail the authentication cannot access the network.

802.1x authentication can be "initiated by the client" or "initiated by the access device" .

  • "Client initiated" : Use the client software to send an EAPOL-Start message to the access device to trigger authentication.
  • "Access device actively initiates" : used in scenarios where the client cannot actively send EAP messages.

"Access device actively initiates" has two specific triggering methods:

  • DHCP message trigger: After receiving the client's DHCP request, the access device actively initiates 802.1x authentication for the user. This is only applicable to scenarios where the client uses DHCP to automatically allocate IP addresses. Because DHCP request messages are sent in the form of broadcasts and can be received by devices on the same network segment, the access device is not necessarily the DHCP server.
  • Triggered by a message with an unknown source MAC address: When the access device receives a message with an unknown source MAC address, it actively initiates 802.1x authentication for the user. If it does not receive a response from the client within the specified time, it resends the message.

Regardless of the triggering method, the EAP protocol will be used to exchange authentication information.

4. Working principle/certification process


Insert image description here

After the authentication is triggered, the 802.1x protocol starts authentication. Here is an explanation of the authentication process in ERP relay mode (for ease of understanding, the access device is replaced by a switch; the authentication server is replaced by a radius server):

1) When a user accesses the network, the client sends ( EAPOL-Start ) to the switch to enable 802.1x authentication.

2) After receiving the request, the switch sends an ( EAP-Request/Identity ) request to the client , asking the client to send the user name.

3) After receiving the request, the client sends an ( EAP-Response/Identity ) response to the switch, and at the same time passes the user name to the switch.

4) The switch encapsulates the client's response message (intact) into a radius message ( RADIUS Access-Request ) and sends it to the radius server.

5) After the authentication server receives it, it takes out the user name inside, queries the user name list in the database for the corresponding password, randomly generates an encryption word (MD5 Challenge) to encrypt the password, and then encapsulates the encryption word into a radius message ( RADIUS Access-Challenge ) is sent to the switch.

6) After receiving it, the switch sends the encrypted word inside to the client ( EAP-Request/MD5 Challenge ).

7) After receiving the encrypted word, the client uses the encrypted word to MD5 encrypt the password, and then sends the encrypted password ( EAP-Response/MD5 Challenge ) to the switch.

8) The switch then encapsulates it into a radius message ( RADIUS Access-Request ) and sends it to the radius server.

9) The radius server compares the received encryption password with the encryption password it generated. If they are the same, it sends an authentication message ( RADIUS Access-Accept ) to the switch.

10) The switch decapsulates the received radius message and sends it to the client ( EAP-Success ), and changes the port authorization to the authorized state, allowing the user to access the network through this port. After the authentication is passed, DHCP assigns an IP address.

11) The switch will periodically send "handshake" messages to the client to detect the user's online status. The client sends a response message to indicate that it is online; if there is no response to two consecutive handshake messages, the user will be offline.

12) The client can actively request to "go offline" and send ( EAPOL-Logoff ) frames. After receiving it, the switch changes the port status to unauthorized and sends an ( EAP-Failure ) message to the client to confirm that the client is offline.

5. Certification method


In addition to the "ERP relay" mentioned above , the authentication methods of the 802.1x protocol also include "ERP termination" . The difference between the two methods is that the location of the encrypted password is different.
  • "ERP Relay" : The authentication (radius) server generates an encrypted word (MD5 Challenge) and encrypts the password. The switch only acts as an intermediary to forward messages.
  • "ERP Termination" : The access device (switch) generates an encrypted word (MD5 Challenge) and encrypts the password, and then sends the user name, encrypted word, and encrypted password to the authentication server for authentication processing.

Insert image description here

5.1. MAB certification

MAB (Mac Address Bypass) is also called MAB address authentication, or Mac address whitelist.
Because 802.1x authentication requires the terminal to enter the account and password, but "dumb terminals" such as printers cannot enter the account and password, so the Mac address is used as the username and password for authentication.

1. First collect the "Mac address" of the device and save it to the Radius server.

2. When the device connects to the network, the Mac address is forwarded to the Radius server through the switch. If there is, access the network; if not, access is prohibited.

Extensions:

  • "MAB dumb terminal" refers to a device that cannot enter an account password and has no interactive interface, such as printers, scanners, and IP phones.

6. EAPOL protocol message format

EAPOL (EAP over LANs) is a packet encapsulation format defined by the 802.1X protocol, which can transfer user information between the client and the NAS, which means that EAP protocol packets are allowed to be transferred directly in the LAN environment.

Insert image description here

Field analysis:

  • PAE Ethernet Type: 2 bytes, Ethernet protocol type, the protocol type assigned by 802.1x is 0x888E.
  • Protocol Version: 1 byte, the protocol version number used by the sender.
  • Packet Type: 1 byte, EAPOL data frame type.
  • Packet Body Length: 2 bytes, the length of the data field (Packet Body). When the Packet Type is EAPOL-Start or EAPOL-Logoff, the value of this field is 0.
  • Packet Body: Data content.

EAPOL data frame type (Packet Type):

  • EAP-Packet (value 0x00): Authentication information frame. The frame is re-encapsulated into a Radius message on the access device and sent to the radius server.
  • EAPOL-Start (value 0x01): Authentication initiation frame, only exists between the client and the access device.
  • EAPOL-Logoff (value 0x02): exit request frame, only exists between the client and the access device.
  • EAPOL-Key (value 0x03): Key information frame, which encrypts EAP messages (for wireless access only).

7. EAP protocol message format

The 802.1X protocol uses EAP (Extensible Authentication Protocol, Extensible Authentication Protocol) to realize the transfer of authentication information between the client, NAS and authentication server.

When the Packet Type field value of the EAPOL message is 0000 0000, it indicates that the Packet Body field encapsulates an EAP data packet.

Insert image description here
Field analysis:

  • Code: 1 byte, EAP frame type, (Request, Response, Success, Failure)
  • Identifier: 1 byte, matches Request message and Response message
  • Length: 2 bytes, the total length of the EAP frame (Code + Identifier + Length + Data field)
  • Data: 0 or more bytes, the contents of the EAP packet

When the value of the Code field is Success or Failure, the value of Data is empty.
Data only has a value when the value of the Code field is Request or Response, and the value contains two parts: Type and Type data; the types of Type are:

  • Type=1-Identifier (requires the client program to send the user name information entered by the user)
  • Type=2-Notification (an optional message, send some warning messages)
  • Type=3 - Response Only (response to this type of message when the authentication type in the Request message is not acceptable)
  • Type=4-MD5-Challenge (similar to MD5-Challenge in CHAP)
  • Type=5-One-Time Password (OTP) (a method of password interaction)
  • Type=6-Generic Token Card (token is used when Challenge and Response are supported)
  • Type=254-Expanded Types (supports types expanded by manufacturers themselves)
  • Type=255-Experimental use (type used for testing when experimenting with new types)

Guess you like

Origin blog.csdn.net/wangyuxiang946/article/details/130018409
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com