2025-01-31 0

An Introduction to 802.1X Authentication

0208 3

Overview of 802.1X Authentication

Definition

802.1X defines a port-based network access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated.

Benefits

  • 802.1X is a Layer 2 protocol and does not involve Layer 3 processing. It does not require high performance of access devices, reducing network construction costs.
  • Authentication packets and data packets are transmitted through different logical interfaces, improving network security.

802.1X Authentication System

the 802.1X authentication system uses a standard client/server architecture with three components: client, access device, and authentication server.

  • The client is usually a user terminal. The user triggers 802.1X authentication using client software. The client must support Extensible Authentication Protocol over LAN (EAPoL).
  • The access device is usually a network device that supports the 802.1X protocol. It provides a port, either physical or logical, for the client to access the LAN.
  • The authentication server, typically a RADIUS server, carries out authentication, authorization, and accounting on users.

 

802.1X Authentication Protocol

Overview

In the 802.1X authentication system, the client, access device, and authentication server exchange information using the Extensible Authentication Protocol (EAP). EAP can run without an IP address over various bottom layers, including the data link layer and upper-layer protocols (such as UDP and TCP). This offers great flexibility to 802.1X authentication.

  • The EAP packets transmitted between the client and access device are encapsulated in EAPoL format and transmitted across the LAN.
  • You can determine to use either of the following authentication modes between the access device and authentication server based on the client support and network security requirements:
    • EAP termination mode: The access device terminates EAP packets and encapsulates them into RADIUS packets. The authentication server then uses the standard RADIUS protocol to implement authentication, authorization, and accounting.
    • EAP relay mode: The access device directly encapsulates the received EAP packets into RADIUS using EAP over RADIUS (EAPoR) packets, and then transmits these packets over a complex network to the authentication server.

 

802.1X Authentication Process

Triggering of 802.1X Authentication

802.1X authentication can be triggered in one of the following scenarios:

  • A client sends an EAPoL-Start packet.
  • A client sends a DHCP, ARP, DHCPv6, ND, or any packet.
  • The device sends an EAP-Request/Identity packet.

Authentication Processes in EAP Relay and EAP Termination Modes

In the 802.1X authentication system, the access device exchanges information with the RADIUS server in EAP relay or EAP termination mode.

  1. To access an extranet, a user starts the 802.1X client program, enters the applied and registered user name and password, and initiates a connection request. At this time, the client sends an EAPoL-Start packet to the access device to start the authentication process.
  2. After receiving the EAPoL-Start packet, the access device returns an EAP-Request/Identity packet to the client for its identity.
  3. Upon receipt of the EAP-Request/Identity packet, the client sends an EAP-Response/Identity packet that contains the user name to the access device.
  4. The access device encapsulates the EAP-Response/Identity packet into a RADIUS Access-Request packet and sends the RADIUS packet to the authentication server.
  5. After receiving the user name forwarded by the access device, the RADIUS server searches the user name table in the database for the corresponding password, encrypts the password with a randomly generated MD5 challenge, and sends a RADIUS Access-Challenge packet containing the MD5 challenge to the access device.
  6. The access device forwards the MD5 challenge sent by the RADIUS server to the client.
  7. Upon receipt of the MD5 challenge, the client encrypts the password with the MD5 challenge, generates an EAP-Response/MD5-Challenge packet, and sends the packet to the access device.
  8. The access device encapsulates the EAP-Response/MD5-Challenge packet into a RADIUS Access-Request packet and sends the RADIUS packet to the RADIUS server.
  9. The RADIUS server compares the received encrypted password with the locally encrypted password. If the two passwords match, the user is considered to be valid and the RADIUS server sends a RADIUS Access-Accept packet (authentication is successful) to the access device.
  10. After receiving the RADIUS Access-Accept packet, the access device sends an EAP-Success packet to the client, changes the port state to authorized, and allows the user to access the network through the port.
  11. When the user is online, the access device periodically sends a handshake packet to the client to monitor the user.
  12. After receiving a handshake packet, the client sends a response packet to the access device, indicating that the user is still online. By default, the access device disconnects the user if it does not receive any response from the client after sending two consecutive handshake packets. The handshake mechanism allows the access device to detect unexpected user disconnections.
  13. To go offline, the client sends an EAPoL-Logoff packet to the access device.
  14. The access device changes the port state from authorized to unauthorized and sends an EAP-Failure packet to the client.