Analysis of Huawei wireless 802.1X authentication

Enterprise 2019-07-14 08:16:39 views: null

1,802.1X Profile

IEEE802 LAN / WAN committee to solve the wireless LAN security problem, 802.1X protocol.

Later, 802.1X protocol as a common access control mechanism LAN interfaces are widely used in Ethernet networks, mainly to solve the problem of authentication and security within Ethernet.

802.1X protocol is a network protocol interface based on access control . "Based Network Access Control Interface" refers to the interface of a LAN which an access device , the access device to the user to control access to network resources through authentication.

As FIG. 1 shown, a typical system 802.1X Client / Server structure, comprising three entities: terminals, RADIUS client and RADIUS server .

FIG 1 802.1X authentication system diagram


c_permission_021_fig01.png


  • Terminal is an entity at one end of the LAN segment, it is authenticated by the other end of the link access control device (RADIUS client). LAN terminal must support Extensible Authentication Protocol the EAPOL (Extensible the Authentication Protocol over the LAN), the terminal user can own or by AnyOffice 802.1X client initiates authentication.
  • The access control device is another end of the LAN segment, the terminal can authenticate. Access control device generally supports 802.1X protocol switch or the AC , the terminal provides access to the LAN interface.
  • RADIUS server is to provide access control device authentication service entity. RADIUS server for user authentication, authorization, and accounting , Agile Controller-Campus SC comprises a RADIUS server.

802.1X authentication is an authentication RADIUS protocol. Agile Controller-Campus as a RADIUS server for user authentication and authorization to provide 802.1X authentication system to ensure network security.

2, wireless 802.1X authentication

802.1X authentication wireless authentication suggestions selected scene caught by the AC switch on the convergence layer . Aggregation layer switches user traffic to drainage AC certification.

AC recommended AP centrally managed way (AC + Fit AP), are planning two VLAN as the management VLAN (management ap, recommendations capwap tunnel) and operational VLAN.

FIG 3 the radio 802.1X authentication
c_plan_0028_fig03.png

2.1 Planning Fenwick

  • Pre-authentication domain: refers to resources through user authentication before you can access. Some DHCP server as opening up public resources, the user authentication process to be used, DNS server, Portal Server (SC Portal Server is the server) and so on.
  • Authentication domain: refers to resources that only authenticated users can access through. Critical systems such as financial systems, attendance query system. (After successful authentication, authorization rules matching, for ACL, etc.)
  • Isolated domains: Only use AnyOffice clients support the isolation domain. Refers to authentication through the terminal but the resources can be accessed through a security check is not for bug fixes terminal security check. Such as patch server, virus database servers.
3. The certification process

Use the operating system and AnyOffice 802.1X client 802.1X authentication process are set forth in FIG. 2 and FIG. 3 , the main difference is that in addition to end-use AnyOffice RADIUS server offline on the outer needed AuthServer (Agile Controller-Campus server offline on another module), a terminal management.

FIG 2 802.1X authentication process (operating system comes 802.1X client)
c_permission_021_fig02.png

On-line process:

  1. The user initiates an authentication request, send account number and password to the RADIUS client.
  2. RADIUS client sends an authentication request (Access-Request) to the RADIUS server according to the acquired ID and password, wherein the password is encrypted under the shared key.
  3. RADIUS server account and password for authentication. If authentication is successful, the server sends RADIUS authentication acceptance message (Access-Accept) to the RADIUS client; if the authentication fails, reject the message (Access-Reject) is returned. Since the RADIUS protocol combines the authentication and authorization process, so authentication acceptance message also contains the authorization information about users.
  4. RADIUS client authentication result according to the received access / deny user. If access is granted, the RADIUS client sends an accounting start request message (Accounting-Request) to the RADIUS server.
  5. RADIUS server returns a start response message (Accounting-Response), and starts charging.

    icon-note.gif Description:

    Agile Controller-Campus as a RADIUS server does not support accounting, accounting packets is determined by a user is online, the message sending accounting period, and the access control device must be equipped with Agile Controller-Campus and must be consistent.

    It will start charging users while adding RADIUS client and the RADIUS server online, the user access to network resources in RADIUS client list of online users look for user information, if there is no need to authenticate again.

  6. The user accesses the network resources based on the authorization.

Users initiative off the assembly line process:

  1. The user performs logout request offline.
  2. RADIUS client receives the request transmits the user offline charging stop request message (Accounting-Request) to the RADIUS server.
  3. RADIUS server returns a stop-accounting response message (Accounting-Response), and stop billing.

    icon-note.gif Description:

    After stopping at the same time accounting RADIUS client and RADIUS server online user list will be deleted.

  4. End user access.

Administrators force the user off the assembly line process in Agile Controller-Campus:

  1. RADIUS server receives the request to a forced offline offline notification message DM (Disconnect Message) -Request to the RADIUS client, the message contains information Session ID, account number and the terminal IP address.
  2. RADIUS clients to find the information DM-Request packets online, will meet the requirements of users offline, and send off the assembly line successfully RADIUS server response packet DM-ACK.
  3. RADIUS client sends a RADIUS Accounting Stop Request message server (Accounting-Request).
  4. RADIUS server returns a stop-accounting response message (Accounting-Response), and stop billing.

    icon-note.gif Description:

    After stopping at the same time accounting RADIUS client and RADIUS server online user list will be deleted.

  5. End user access.

References: Huawei Agile Controller-Campus Product Documentation

Guess you like

Origin blog.51cto.com/20161215/2419060
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com