Technical White Paper for Huawei 802.

1X

Huawei Technologies Co., Ltd. October 2004

Technical White Paper for Huawei 802.1X

Table of Contents
1 Overview....................................................................................................................................1 2 Basic Operating Mechanism of 802.1X.....................................................................................1 2.1 System Architecture ..........................................................................................................1 2.1.1 Port PAE.................................................................................................................2 2.1.2 Controlled Port........................................................................................................3 2.1.3 Controlled Direction ................................................................................................3 2.2 Operating Mechanism .......................................................................................................4 2.3 Authentication Procedure ..................................................................................................4 3 Characteristics of Huaweis 802.1X ..........................................................................................5 3.1 Authentication Trigger .......................................................................................................5 3.1.1 Standard EAP Trigger .............................................................................................6 3.1.2 DHCP Trigger .........................................................................................................6 3.1.3 Proprietary Trigger of Huawei..................................................................................6 3.1.4 Trigger by the Supplicants Static IP Address ..........................................................6 3.2 Authentication Mode .........................................................................................................7 3.2.1 PAP........................................................................................................................7 3.2.2 CHAP .....................................................................................................................7 3.2.3 EAP........................................................................................................................7 3.3 Authentication Server......................................................................................................11 3.3.1 EAP Termination Mode .........................................................................................11 3.3.2 EAP Relay Mode...................................................................................................12 3.3.3 Built-in Authentication Server ................................................................................13 3.4 Security Management and Service Control......................................................................13 3.4.1 MAC-based User Feature Identification.................................................................13 3.4.2 User Feature Binding ............................................................................................13 3.4.3 Supplicant Version Detection ................................................................................14 3.4.4 Transparent Transmission of Messages ................................................................15 3.4.5 Dynamic User Binding...........................................................................................15 3.4.6 Guest VLAN..........................................................................................................16 3.4.7 Re-authentication..................................................................................................16 3.4.8 Proxy Detection ....................................................................................................17 3.4.9 IP Address Management.......................................................................................19 3.4.10 Port-based User Capacity Limit ...........................................................................20 3.4.11 Trunk Port Authentication....................................................................................20 3.4.12 User Service Sending .........................................................................................21 3.4.13 Unique Handshake Mechanism...........................................................................22
1

Technical White Paper for Huawei 802.1X

3.4.14 802.1X-based Controlled Multicast ......................................................................23 3.5 Complete Overall Solution...............................................................................................23 4 Typical Networking .................................................................................................................24 4.1 Centralized Authentication...............................................................................................24 4.2 Peripheral Distributed Authentication...............................................................................25 4.3 Authentication via the Built-in Server ...............................................................................25 4.4 Service Application: VLAN Sending.................................................................................26 5 Conclusion and Prospect .......................................................................................................27

Technical White Paper for Huawei 802.1X

Abstract As a port-based security mechanism of user access control, 802.1X features low cost, good service continuity and expandability, and high security and flexibility. Since it formally became one of the IEEE 802 series standards in June 2001, it has been quickly and widely supported and acknowledged by equipment manufacturers including Huawei, various network operators and end users. This White Paper introduces the basic concepts and technical principles of 802.1X as well as the characteristics and networking of Huaweis 802.1X solution. Key Words 802.1X controlled port RADIUS supplicant authenticator system

Abbreviations
802.1X RADIUS PAP CHAP EAP MD5 PAE CAR AP PEAP EAP-TLS IEEE 802.1X standard Remote Authentication Dial In User Service Password Authentication Protocol Challenge Handshake Authentication Protocol Extensible Authentication Protocol

Message-Digest Algorithm 5
Port Authentication Entity Committed Access Rate Access Point Protected EAP EAP-Transport Layer Security

Technical White Paper for Huawei 802.1X

1 Overview
The full name of 802.1X is Port-Based Networks Access Control. As a port-based user access control mechanism, 802.1X features low cost, good service continuity and expandability, and high security and flexibility. Since it formally became one of the IEEE 802 series standards in June 2001, it has been quickly and widely supported and acknowledged by equipment manufacturers including Huawei, various network operators and end users. The LAN defined by the IEEE 802 protocol does not provide access authentication. Generally, a user can access the devices or resources in the network as long as he is connected to the LAN. However, for application scenarios such as telecom access, office buildings, LANs and mobile offices, network administrators hope they can control and configure the access to user devices. Therefore, the requirement for port-based or user-based network access control emerges. At present, the 802.1X technology is widely applied in broadband MANs and campus networks. In the current broadband network construction with fierce competitions, the basic services are similar. Hence, the 802.1X technology and its extended service features usually become the key point. The 802.1X service of Huaweis VRP platform is compatible with the standard. In addition, multiple extensions have been made to it as required.

2 Basic Operating Mechanism of 802.1X

2.1 System Architecture
The system architecture of IEEE 802.1X is shown in Figure 1. The 802.1X system consists of altogether three entities: Supplicant, Authenticator System and Authentication Server System.

Technical White Paper for Huawei 802.1X

Supplicant

Authenticator System
Services provided by the authenticator system Controlled port Port unauthorized

Authentication Server System Authentication server

Supplicant PAE

Authenticator system PAE

Uncontrolled port

LAN/WLAN

Figure 1 Architecture of the IEEE 802.1X authentication system

The supplicant is an entity located at one end of the point-to-point LAN network segment. It is authenticated by the authenticator system connected to the other end of the network segment. Generally it is a user terminal device. The user initiates 802.1X authentication by starting the supplicant software. The supplicant must support the EAPOL protocol. The authenticator system is an entity located at one end of the point-to-point LAN network segment. It authenticates the entity connected to the other end of the network segment. Generally the authenticator system is a network device supporting the 802.1X protocol. It provides a port for the supplicant to access the LAN. The port can be a physical port (e.g., an Ethernet interface of the Ethernet switch or the access channel of AP) or a logical port (e.g., MAC address of the user or VLAN ID). The authentication server system is an entity providing authentication service for the authenticator system. It is used to implement authentication, authorization and accounting of the user. This White Paper takes the RADIUS server as an example of the authentication server system.

2.1.1 Port PAE

The port PAE is an entity object for algorithm execution and protocol operation on a given device port in the 802.1X system. The authenticator system PAE authenticates the supplicant that needs to access the LAN via the authentication server system, and controls the authorized/unauthorized status of the controlled port according to the authentication result.

Technical White Paper for Huawei 802.1X

The supplicant PAE responds to the authentication request of the authenticator system and submits the authentication information of the user to the authenticator system. It can also actively send the authentication request and disconnect request to the authenticator system.

2.1.2 Controlled Port

The authenticator system provides a port for the supplicant to access the LAN. The port is divided into two virtual ports: Controlled port and uncontrolled port. The uncontrolled port is always in the bi-directionally connected status and is used to transmit the EAP authentication packet. The controlled port is in the connected status and can transmit service packets when authorized. It is in the disconnected status and cannot transmit any packet when not authorized. The controlled port and the uncontrolled port are two parts of the same physical port. Any frame arriving at the port is visible on both the controlled port and the uncontrolled port, as shown in Figure 2:
Authenticator System Controlled port Uncontrolled port

Authorized/ unauthorized

MAC operable/inoperab le LAN/WLAN

Figure 2 Uncontrolled port and controlled port

2.1.3 Controlled Direction

In the unauthorized status, the controlled port can be set to the unidirectional controlled mode or bi-directionally controlled mode. When the bi-directionally controlled mode is adopted, frames are prohibited from being sent and received; when the unidirectional controlled mode is adopted, frames are prohibited from being received from the supplicant but are allowed to be sent to the supplicant. By default, the controlled port is in the bi-directionally controlled mode.

Technical White Paper for Huawei 802.1X

2.2 Operating Mechanism

The IEEE 802.1X authentication system uses the EAP protocol as a means for exchanging authentication information between the supplicant and the authentication server system. Between the supplicant PAE and the authenticator system PAE, the EAP packet adopts the EAPOL encapsulation format and is directly borne in the LAN environment. Between the authenticator system PAE and the RADIUS server, the EAP packet can adopt the EAPOR encapsulation format (EAP over RADIUS) and is borne in the RADIUS protocol. Or, the EAP packet can be terminated by the authenticator system PAE, while the packets containing the PAP protocol or CHAP protocol attribute are transmitted between the authenticator system PAE and the RADIUS server (see RFC 1994). The authenticator system PAE and the authentication function are separate from each other. The RADIUS server can use different authentication mechanisms to authenticate the supplicant PAE, including MD5-challenge, TLS, PAP, intelligent card, Kerberos, Public Key Encryption and One Time Passwords. In the wireline LAN of the non-shared network segment, generally the MD5-challenge authentication mechanism is implemented; and in the wireline LAN and WLAN of the shared network segment, generally bi-directional authentication is implemented. The authenticator system PAE decides the authorized/unauthorized status of the controlled port according to the indication (Accept or Reject) of the RADIUS server.
EAP/PAP/CHAP switching over the RADIUS protocol

Supplicant PAE

EAPOL

Authenticator system PAE

Authentication server

Figure 3 Operating mechanism of the IEEE 802.1X authentication system

2.3 Authentication Procedure

Take the relay forwarding of EAP packets by the authenticator system PAE as an example. The basic service procedure of the IEEE 802.1X authentication system is shown in Figure 4.

Technical White Paper for Huawei 802.1X

Supplicant PAE

EAPOL

Authenticator system PAE

EAPOR

RADIUS server

EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request/MD5 Challenge EAP-Response/MD5 Challenge EAP-Success Port authorized Expiry of the handshake timer RADIUS Access-Request (EAP-Response/Identity) RADIUS Access-Challenge (EAP-Request/MD5 Challenge) RADIUS Access-Request (EAP-Response/MD5 Challenge) RADIUS Access-Accept (EAP-Success)

Handshake request packet [EAP-Request/Identity] Handshake response packet [EAP-Response/Identity] ... EAPOL-Logoff

Port unauthorized

Figure 4 Service procedure of the IEEE 802.1X authentication system in the EAP mode

3 Characteristics of Huaweis 802.1X

According to the network operation environment and characteristics in China, Huawei has effectively extended the service support capabilities and networking capabilities of 802.1X on the basis of complying with the standard.

3.1 Authentication Trigger

The authentication trigger mode refers to the type of packet used to trigger the authenticator system to authenticate the user. The 802.1X system of Huawei supports three authentication trigger modes: Standard EAP, DHCP and proprietary mode of Huawei.

Technical White Paper for Huawei 802.1X

3.1.1 Standard EAP Trigger

The IEEE 802.1X protocol stipulates that the authentication could be triggered by the EAP-Start packet. In the Ethernet, the address allocated to the EAP packet for 802.1X authentication is 01-80-C2-00-00-03. There are two cases: One is that only the first EAP-Start packet adopts this multicast address while the other EAP packets adopt the unicast address. The supplicant and the authenticator system adopt the source address of the peer packet as the destination address for sending packets to the peer end. The other is that the packets all adopt the multicast address allocated by the protocol as the destination address during the whole authentication process. In the wireline LAN, generally the first case is adopted to reduce broadcast; and in the WLAN, generally the second case is adopted. The supplicant of Huawei supports both cases.

3.1.2 DHCP Trigger

The DHCP packet is adopted as the condition to trigger the authenticator system to authenticate the user. The supplicant provided by the WIN XP is just this case.

3.1.3 Proprietary Trigger of Huawei

See the above description for the standard trigger mode. However, some communication devices cannot transparently transmit the above multicast packet. If there is such device between the user and the authenticator device, the authentication request of the user will be blocked. The broadcast triggering authentication mode, which is a patented technology of Huawei, has successfully solved the above problem so that the user request can reach the authentication server via such devices to complete the authentication. Thus, the requirement on the terminal users access device is reduced and the existing devices can still be used in the network adopting the 802.1X authentication mechanism. This brings convenience to network operation and management and reduces the overall cost of the operator.

3.1.4 Trigger by the Supplicants Static IP Address

The IEEE 8021X authentication system stipulates that the authenticator system should initiate authentication to the supplicant every N seconds (30 seconds by

Technical White Paper for Huawei 802.1X

default), so that Windows XP can be authenticated in the case of a static IP address. In Huaweis authenticator system, this trigger mode is mutually exclusive of the DHCP trigger mode. It is implemented via the command line, that is, if the authenticator system enables the DHCP trigger mode, then it will not initiate authentication to the supplicant every N seconds. Otherwise, it will periodically initiate authentication to the supplicant.

3.2 Authentication Mode

The 802.1X system of Huawei supports multiple types of authentication modes, such as PAP, CHAP and EAP-MD5. By default the authentication mode is CHAP. The supplicant automatically adapts to the authenticator system and the process is transparent to terminal users. Users do not need to set the system, and the interface is friendly and easy to use.

3.2.1 PAP
The PAP (Password Authentication Protocol) features password transmission in plain text. Since the 802.1X authentication system does not define the PAP authentication mode, Huawei has extended it (and submitted a national standard in this respect). It has extended one Type (= 0x07 indicates PAP) in RFC 2284 to provide PAP authentication. Since the password is transmitted in plain text, this mode is not highly secure. However, it is compatible with some traditional RADIUS servers.

3.2.2 CHAP
Different from the PAP, the CHAP (Challenge Handshake Authentication Protocol) transmits passwords in cipher text mode. The CHAP authentication of Huaweis 802.1X system complies with RFC1994.

3.2.3 EAP
See RFC2284 for the EAP (Extensible Authentication Protocol). It is the so-called EAP relay authentication mode. The advantage of this authentication mode is that

Technical White Paper for Huawei 802.1X

the challenge and the calculation are completed by the server, thus reducing the load of the authenticator system to a certain extent. The EAP authentication can have multiple types of security control methods, such as MD5 Hash and TLS. The 802.1X system of Huawei supports EAP MD5, EAP TLS and PEAP modes. The following sections give the packet sequences of three authentication mechanisms in the EAP relay forwarding mode (see descriptions in Section 3.3.2):

3.2.3.1 EAP MD5

The authentication mechanism of the EAP MD5 mode is the same as that of the CHAP mode, as shown in Figure 4.

3.2.3.2 EAP TLS

EAP-TLS is used for user license-based authentication. It is a mutual authentication method, i.e., both the supplicant and the server need to be authenticated. In the EAP-TLS switching process, the remote access supplicant sends its user license while the remote access server sends its computer license. If one of the licenses is not sent or is invalid, the connection will be terminated. See Figure 5.

Technical White Paper for Huawei 802.1X

Supplicant PAE

EAPOL

Authenticator system PAE

EAPOR

RADIUS server

EAPOL-Start

EAP-Request/Identity RADIUS Access-Request (EAP-Response/Identity) RADIUS Access-Challenge (EAP-Request/EAP-TLS Start) RADIUS Access-Request (EAP-Response/EAP-TLS client_hello)

EAP-Response/Identity

EAP-Request/EAP-TLS Start

EAP-Response/EAP-TLS client_hello

RADIUS Access-Challenge EAP-Response/EAP-TLS: (EAP-Response/EAP-TLS: TLS server_hello, TLS certificate, TLS server_hello, TLS certificate, TLS server_exchange, TLS certificate_request, TLS server_exchange, TLS certificate_request, TLS server_hello_done TLS server_hello_done)

RADIUS Access-Request EAP-Response/EAP-TLS: TLS certificate, TLS client_key_exchange, [TLS (EAP-Response/EAP-TLS:TLS certificate, TLS certificate_verify] TLS change_cipher_spec, TLS client_key_exchange, [TLS certificate_verify] TLS change_cipher_spec, TLS finished) finished RADIUS Access-Challenge (EAP-Response/EAP-TLS: TLS change_cipher_spec, TLS finished) RADIUS Access-Request (EAP-Response/EAP-TLS) RADIUS Access-Accept (EAP-Success) ......

EAP-Response/EAP-TLS: TLS change_cipher_spec, TLS finished

EAP-Response/EAP-TLS

EAP-Success

Figure 5 Message sequence of EAP TLS authentication

3.2.3.3 PEAP
IEEE 802.1X uses EAP to authenticate a network supplicant before allowing it to access the network. The EAP was designed for the PPP connection in the beginning. It allows you to create any authentication mode to authenticate network access. The supplicant requesting access and the server that authenticates the supplicant must first negotiate the specific EAP authentication mode (called EAP type). After they reach an agreement on the EAP type, the EAP allows the access supplicant and the authentication server (generally a RADIUS server) to have unrestricted dialogs. The

Technical White Paper for Huawei 802.1X

dialog consists of the authentication information request of the authentication server and the response from the supplicant. The length and detail of the dialog depends on the EAP type. The EAP is designed to allow the use of the authentication plug-in module on both the access supplicant and the authentication server of a certain connection at the same time. The new EAP type can be supported by installing the EAP type library file at both sides. One advantage of EAP authentication is that it is unnecessary to upgrade the access server so as to support the new EAP type. Although EAP provides flexible authentication, the whole EAP session may be sent as a plain text (unencrypted). Malicious users with media access rights can insert packets to the session, or capture the EAP message from the successful authentication for analysis. This is particularly a problem for wireless connections, since malicious users may be outside the enterprise in wireless connections. the WEP (Wired Equivalent Privacy) is used to encrypt the radio frames. PEAP is an EAP type for solving this security problem. It first creates simultaneous encryption and uses the TLS to protect the integrity of the security path. Then it negotiates a new EAP of another EAP type so as to authenticate the supplicant that attempts to access the network. Since the TLS path protects the EAP negotiation and authentication of the network access attempt, the password-based authentication protocol that is susceptible to offline dictionary attacks can be used in wireless environments for authentication. See Figure 6. The EAP authentication is conducted during the IEEE 802.1X authentication and before

10

Technical White Paper for Huawei 802.1X

Supplicant PAE

EAPOL

Authenticator system PAE

EAPOR

RADIUS server

EAPOL-Start

EAP-Request/Identity RADIUS Access-Request (EAP-Response/Identity) RADIUS Access-Challenge (EAP-Request/PEAP Start)

EAP-Response/Identity

EAP-Request/PEAP Start

TLS Channel Established ... EAP-Response(Empty) RADIUS-Access-Request EAP-Response(Empty) RADIUS Access-Challenge (EAP-Request/MD5-Challenge) RADIUS-Access-Request EAP-Response/MD5-Password

EAP-Request/MD5-Challenge EAP-Response/MD5-Password

EAP-Success

RADIUS Access-Accept (EAP-Success)

......

Figure 6 Message sequence of PEAP authentication

3.3 Authentication Server

The 802.1X system of Huawei supports the interconnection with the RADIUS server in the EAP termination mode and the EAP relay mode. In addition, it provides the simple BAS function and is built in with an authentication server.

3.3.1 EAP Termination Mode

This mode is expanded from the 802.1X subsystem of Huaweis VRP platform. The EAP is terminated in the LAN switch and mapped to the RADIUS packet. The standard Radius protocol is used to complete authentication and accounting. The running process is shown in Figure 7.

11

Technical White Paper for Huawei 802.1X

Supplicant PAE

EAPOL EAPOLStart

Authenticator system PAE

RADIUS

RADIUS server

EAP-Request/Identity EAP-Response/Identity EAP-Request/MD5 Challenge EAP-Response/MD5 Challenge RADIUS Access-Request (CHAP-Response/MD5 Challenge) RADIUS Access-Accept (CHAP-Success)

EAP-Success

Port authorized Handshake request packet [EAP-Request/Identity] Handshake response packet [EAP-Response/Identity] ... EAPOLLogoff Port unauthorized Expiry of the handshake timer

Figure 7 Authentication process of 802.1X EAP termination

The advantage of this mode is that the standard RADIUS server can be adopted so that the users existing investment can be protected. This mode is used for communication with the server in both PAP and CHAP.

3.3.2 EAP Relay Mode

This mode is stipulated in the IEEE 802.1X standard. In this mode, the EAP is borne in other higher layer protocols like EAP over Radius so that the EAP packet can pass through the complex network and reach the authentication server. The processing flow is shown in Figure 4. Generally, the EAP relay mode requires that the RADIUS server support EAP attributes EAP_Message (79) and Message_Authenticator (80), for example, CAMS of Huawei or free software of the FreeRADIUS organization.

12

Technical White Paper for Huawei 802.1X

3.3.3 Built-in Authentication Server

User accounts and passwords can be set on the authenticator system to directly respond to user authentication without needing the coordination from the CAMS or RADIUS. The switch supports the built-in authentication server. This reduces the construction and management costs of small networks. To reduce the load of the authenticator system, the built-in server only supports the authentication function. It does not support the accounting function. For the user capacity indices of various product series, please refer to the specifications of the corresponding products.

3.4 Security Management and Service Control

The 802.1X system of Huawei provides multiple value-added solutions for security management and service control.

3.4.1 MAC-based User Feature Identification

The IEEE 802.1X standard is a port-based access control protocol whose basic requirement is to control the user access port. This is adequate for radio access points, since a user seizes one channel. However, in environments such as telecom access and hotels, the port-based control granularity can hardly meet the requirement. The MAC address-based logical port control is inevitable. The 802.1X feature of Huaweis VRP platform provides not only port-based user access control but also user MAC address-based access control. The control granularity is a matter of users and the networking is quite flexible. By default, the MAC-based control mode applies.

3.4.2 User Feature Binding

The server authenticates the user account (i.e., user name + password) for either the port-based authentication or the user MAC address-based authentication. Once the account is revealed, big hidden security troubles will be brought to the user. 802.1X of the VRP platform can coordinate with the RADIUS server such as CAMS (Comprehensive Access Management System) or the built-in authentication server of the authenticator system to implement multiple types of bindings of user account and user feature so as to enhance the user security. The binding mode can be any combination of the user account with VLANID, MAC or port. For example:

13

Technical White Paper for Huawei 802.1X

1. 2. 3. 4.

Binding of user account + VLANID; Binding of user account + VLANID + port; Binding of user account + VLANID + port + MAC; Binding of user account + VLANID + port + MAC + IP.

3.4.3 Supplicant Version Detection

The supplicant version detection feature of the 802.1x system of Huaweis VRP platform coordinates with Huaweis supplicant to implement the following function: When receiving an authentication packet, the authenticator system first identifies the type and version of the 1X supplicant. It will reject the authentication of illegal supplicants or old versions. See Figure 8.

Figure 8 Message sequence of version detection

After the user initiates the authentication request via the 802.1X supplicant, the LAN switch first sends a version request packet to the supplicant. The supplicant then shall send a response packet that carries the current version information. After receiving the version response packet, the LAN switch gets the version and proceeds with the 802.1X authentication normally. When sending the RADIUS authentication request packet to the CAMS in the end, it puts the version information together with the Identity and the MD5 Password into the hw-User-Notify (26-61)

14

Technical White Paper for Huawei 802.1X

extended attribute of the RADIUS request packet. The CAMS will complete the final version detection. For Huaweis 802.1X supplicant of a new version, after the authenticator system sends the version request packet, the supplicant will send a response packet carrying the version information. The switch will forward the response packet to the CAMS to check the version validity. Therefore, the authentication message flow shown in Figure 8 will not affect the user authentication. For an 802.1X supplicant of other vendors than Huawei, after the authenticator system sends the version request packet, the supplicant will not respond to the version request. Therefore, the authenticator system will always be waiting for the version response packet till it times out (the timeout time depends on the maximum number of version requests sent and the transmission time interval configured by the user). After this, the authenticator system directly jumps to the EAP-Request/Identity status. The above process takes effect only after the supplicant version request command is configured on the switch. If the relevant command is not configured on the switch, the previous 802.1X authentication process will be adopted.

3.4.4 Transparent Transmission of Messages

The 802.1x feature of Huaweis VRP platform implements the message transparent transmission function. This function coordinates with Huaweis supplicant and the CAMS of Huaweis authentication server to send messages like user balance notification. After logging in to the system via Huaweis supplicant, the user can immediately receive from the authentication server the user balance notification that notifies the user to recharge in time. In addition, the administrator can use the authentication server CAMS to actively send specific messages to online users. For example, suppose the account of a certain user is often embezzled, then the administrator can set a notification message for the user so that the administrator can send the notification message after the user passes the authentication to the user via the 1X supplicant, prompting the user to protect his account.

3.4.5 Dynamic User Binding

The switch can implement dynamic binding of user IP address and MAC address so that the user is not allowed to modify the IP address after getting online, lest the user account be embezzled.

15

Technical White Paper for Huawei 802.1X

Specifically, for a static IP address, after the user passes the authentication, the switch will set the port IP packet to deny all, set a permitted ACL, and allow the users IP packet of IP+MAC+PORT+VLAN to pass. For a dynamic IP address, after the user passes the authentication, the switch will set the port IP packet to deny all, and enable the dhcp-snooping function to snoop the dhcp ack packet. After the dhcp ack packet is received, it sets a permitted ACL and allows the user IP packet of IP+MAC+PORT+VLAN to pass.

3.4.6 Guest VLAN

The basic function of Guest VLAN is to enable the user to access the resources inside the Guest VLAN in the case the user is not authenticated (e.g., before the authentication success, after the authentication failure or when the user does not have any supplicant software). The typical application is that the user does not have any supplicant software. In this case, the user can download the supplicant software from the network via the Guest VLAN (the user can only access the resources inside the Guest VLAN) and then get authenticated so as to have a normal network communication. Specifically, after the dot1x function is enabled on the port and the Guest VLAN is configured, the authenticator system actively conducts the authentication. When the maximum number of re-authentication times is reached, the user port will be added to the Guest VLAN group and thus the limited network access right is achieved. Please note that: 1. 2. The authenticator system supports only one Guest VLAN globally. Since the authenticator system initiates the authentication, it is necessary to disable the dot1x dhcp-lanuch function so that the authenticator system can initiate authentication packets. 3. When the user adopts dynamic acquisition of IP addresses, the authenticator system cannot have the 8021x supplicant to refresh the users IP address via packet exchange. The user needs to manually refresh the IP address.

3.4.7 Re-authentication
The re-authentication function specified in IEEE Standard for Local and metropolitan area networks - Port-Based Network Access Control is implemented. It is ensured that the authenticator system can initiate re-authentication periodically in the case periodical re-authentication is enabled.

16

Technical White Paper for Huawei 802.1X

If the RADIUS server sends the Termination-Action attribute (Type = 29, only present in the Access-Accept message), the NAS shall take different actions according to different attribute values (0 or 1). If the attribute value is 0, then the user will be forced to get disconnected. If the attribute value is 1, then the Session-Timeout value (Type = 27; its value is a 4-byte 32-bit unsigned integer. This attribute is used to specify the maximum time in seconds for holding the connection between the supplicant and the authenticator system) in the Access-Accept message will be considered as the re-authentication timer interval. If the RADIUS server does not send the Termination-Action attribute but the user enables the global 802.1X authentication and port 802.1X functions and the re-authentication feature, then the authenticator system will consider the default period constant (3600 seconds) as the re-authentication period. Otherwise, the parameter configured by the user will be used as the re-authentication period. If the RADIUS server does not send the Termination-Action attribute and the user does not enable the re-authentication feature, then the authenticator system will not conduct 802.1X re-authentication.

3.4.8 Proxy Detection

In the broadband campus network environment especially in the campus network, it is quite common that users share one account for Internet access via Proxy. This has attracted intense care of the operators. Two problems may be caused by Internet access via Proxy to hide ones true identify: One is publicizing reactionary speech via Proxy and the other is shuffling ones duty to pay Internet access fee via Proxy.

3.4.8.1 Typical Applications of Proxy

The typical applications of Proxy are shown in Figure 9. The user may implement Proxy via dual network cards, NAT or single/dual network cards + proxy software (e.g., Wingate).

17

Technical White Paper for Huawei 802.1X

The Internet access via PROXY saves a great deal of money!

You are not allowed to do this!

HUB PC Normal access of the host to the Internet

Lanswitch

Figure 9 Internet access via Proxy

The correlation between the proxy detection function and Huaweis equipment is shown in the following table:
Functional item Detect if proxy is set in IE Detect the other proxy modes Require CAMS Yes No Description The detection of all proxy modes needs the coordination between Huaweis supplicant and Huaweis authenticator system. The CAMS is needed for the detection of the IE proxy setting only.

3.4.8.2 Handling of the Proxy Detection Result

The authenticator system may take different handling methods depending on the detection results. There are two types of detection results: Internet access via Proxy and normal Internet access. If the detection result is normal Internet access, then the authenticator system will proceed with the handshake with the supplicant. If the detection result is Internet access via Proxy, then the Trap information will be sent to the NMS according to the authenticator system configuration or the Logoff message will be sent to force the user to get disconnected. Of course, the two methods can be used at the same time. In addition, if the return value of the response packet is a value other than the one expected by the authenticator system, the switch will reject receiving the handshake packet. The authenticator system will start the handshake timer to force the user to be disconnected. Thus, the detection of the supplicant proxy is implemented. Huaweis supplicant coordinates with the authenticator system to implement proxy detection and thus improves the network operability.

18

Technical White Paper for Huawei 802.1X

3.4.9 IP Address Management

In the IP network, the IP address is not only the reference for a user to access the network but also an object of management and security control. The IP address management mechanism of Huaweis 802.1X system includes acquisition and release of IP address, whether to upload as a user feature, and consistency management.

3.4.9.1 IP Address Acquisition

Huaweis supplicant supports the dynamic acquisition of IP addresses in the user authentication process. The supplicant can automatically complete the IP address capture and does not need the users intervention. Of course, if the network adopts the static IP address allocation mode, it is only necessary to uncheck the relevant options at the supplicant.

3.4.9.2 IP Address Release

The WINDOWS XP OS of Microsoft provides supplicant software based on the IEEE 802.1X-2001 protocol for user access based on the same protocol. The supplicant software is applicable to both wireline and wireless (WLAN) fields. However, it cannot provide auto release of the users IP address when the user is offline. The IP address is still seized when the user is offline, thus causing IP address waste. In today when IP addresses increasingly fall short of requirement, this problem is quite disadvantageous to both the operator and the user. On one hand, the IP addresses possessed by the operator cannot be utilized to the full extent; on the other hand, some users cannot receive services since they are not allocated with any IP address or since their IP addresses are in conflict. To solve this problem, Huawei has added the IP address release mechanism to the 802.1X supplicant software it independently developed so as to ensure that the IP addresses are released in time after the users are offline. This saves the IP addresses in the wireline broadband network and solves the problem of quick exhaustion of IP addresses. The implementation of this mechanism is easy, reliable and highly efficient.

3.4.9.3 IP Address Upload

IP address upload refers to uploading the users IP address to the RADIUS server. It falls into two cases: Static IP address upload and dynamic IP address upload. For the static IP address allocation, the IP address can be sent as a feature attribute together with the user account to the server for authentication, thus implementing the authentication of user account + IP address. This attribute is carried in the

19

Technical White Paper for Huawei 802.1X

subsequent accounting (start, update and end) packets. The server log records the information for management query. For the case of dynamic IP address allocation, the IP address cannot be sent together with the user account to the server in the authentication packet. The authentication of user account + IP address cannot be implemented. Since 802.1X is an L2 authentication protocol, the user cannot get a valid IP address before the authentication succeeds. The 802.1X system of Huawei can send the IP address information to the server in the subsequent accounting update packet and the accounting stop packet.

3.4.9.4 IP Address Consistency Check

To prevent users IP address spoofing, the authenticator system will check the IP address consistency via the handshake packet after user authentication. The procedure is as follows: 1) For the user that dynamically obtains an IP address, the authenticator system records the users IP address when allocating the address to the user. 2) Then the supplicant notifies the authenticator system of the current IP address via the handshake packet at the time of each handshake. 3) If the user changes his IP address (for example, from a dynamic IP address into a different static IP address) after the authentication succeeds, the authenticator system will disconnect the user when finding that the two IP addresses in the handshake process are inconsistent. 4) The static IP address consistency check is similar.

3.4.10 Port-based User Capacity Limit

There is an overall maximum user capacity index for the authenticator system according to its position in the network and its processing capability. 802.1X is a port-based control protocol. The 802.1X system of Huawei further defines the control granularity. The number of users that can access a specific port can be configured for better management and control.

3.4.11 Trunk Port Authentication

The 802.1X standard does not support Trunk port authentication. The reason is that the authentication control object specified in the standard is a port. For such case of port multiplexing, as long as the user in a VLAN passes the authentication, the

20

Technical White Paper for Huawei 802.1X

users in all the other VLAN who multiplex this port are authorized accordingly. Therefore, Trunk port authentication cannot be supported. Through further definition of control granularity and relevant processing, Huaweis 802.1X can support Trunk port authentication (MAC-based mode). This function extension does not compromise the consistency of the standard, since the granularity-based further definition is an added function instead of function deduction. In addition, there is no problem as to the interconnection with devices of the other vendors. This feature brings three advantages to the networking: 1. It is quite advantageous to the planning and utilization of VLAN resources. 2. It is advantageous to the centralization of authenticator device layers. 3. The binding of user account + VLAN improves the user security while bringing higher manageability to the operator. For example, medium- and big-sized networks are short of VLAN resources (at most 4K). Since the Trunk port supports authentication, the VLAN termination and authentication can be completed by the device in the convergence layer (or core layer). Thus, by dividing VLANs to a single or a few users and binding them together, the security can be improved for the user and the users can be prohibited from roaming among the VLANs.

3.4.12 User Service Sending

Currently supported services include VLAN, CAR, Priority and other services.

3.4.12.1 VLAN Service

During the user authentication process, VLANs can be re-assigned to users and sent to the authenticator system in coordination with servers like the CAMS. In the LAN switch, there is mapping relation between the VLAN and the routing virtual interface. Therefore, this feature can be used to plan the management policy of a certain type of users. For example, suppose VLAN 10 is allocated to the student group and VLAN 20 to the teacher group in a campus network. The manageability can be enhanced by specifying different access control policies for the route segments where the VLAN 10 and VLAN 20 virtual interfaces are located. In addition, since the VLAN resources are dynamically sent, the users can roam in the campus network without influence on the access. Currently the VLAN sending can support the sending of integer VLAN ID and character string VLAN NAME.

21

Technical White Paper for Huawei 802.1X

Integer: The switch adds the port to the corresponding VLAN according to the integer ID sent by the RADIUS authentication server. If the VLAN does not exist, the switch will first create it and then add the port to the VLAN just created. String type: The switch compares the string ID sent by the RADIUS authentication server with the existing VLAN name on the switch. If it finds a match, it will add the port to the corresponding VLAN. Otherwise, the VLAN sending fails, and the user cannot pass the authentication. The support for different VLAN sending modes needs to be configured manually in the domain view. Different sending modes can support different authentication servers. The following is the coordination between the sending modes and the authentication servers.
CAMS Windows2000 IAS ACS Integer Supported Supported Not supported String Not supported Supported Supported

3.4.12.2 CAR Service

The CAR service is user traffic control service. It is used to dynamically set the uplink and downlink traffic parameters of the user based on the tariff. In addition to the coordination from servers like CAMS, this service also requires the authenticator system itself to support the traffic control function. It is the same with the user priority.

3.4.13 Unique Handshake Mechanism

To regularly monitor the users online states, Huaweis 802.1X system extends and supports the handshake mechanism between the authenticator system and the supplicant. This mechanism effectively solves the problems of fraudulence and accounting duration accuracy in wireline network applications (most products of other vendors cannot support periodical monitoring and duration-based accounting). The recommended system parameters are as follows: Handshake interval = 15 seconds; handshake times (N) = 3. If the system does not receive the response packet from the supplicant for N continuous times, it considers the user is offline. This function needs the support from both the authenticator system and the supplicant. The supplicant can be a supplicant of Huawei or a standard supplicant of any other third party, e.g., the Windows XP supplicant. That is, Huaweis authenticator system can interoperate with standard supplicants. Impact of the handshake mechanism on the authentication trigger modes:

22

Technical White Paper for Huawei 802.1X

The handshake interval is set to 15 seconds by default. If it is set to 30 seconds (or more), it will be inconsistent with the default authwhile timer interval (30s) of the XP supplicant. This will cause the state machine disorder on the switch and will disconnect the user. In fact, trigger by the supplicants static IP address will also cause this problem. To avoid this problem, the authenticator system of Huawei has the following restrictions on the selection of authentication trigger packets: 1. In the case there is no user online, common reqid packets (including the multicast reqid = 1 packet of the switch in every 30s) can trigger authentication. 2. In the case there is no user online, after an eapstart packet (indicating the authentication process has started) is received, the reqid = 1 packet cannot trigger authentication. 3. In the case there is user online, the reqid packet induced by the eapstart packet can trigger authentication, but handshake packets cannot trigger authentication.

3.4.14 802.1X-based Controlled Multicast

The IP multicast technology implements point-to-multipoint highly efficient data transmission in the IP network. Since it can effectively save the network bandwidth and reduce the network load, it is widely applied in many aspects, such as realtime data transmission, multimedia conference, data copy, game and simulation. However, the current multicast service has a lot of operation problems in such aspects as user management, service management and accounting. Based on the multicast operability and manageability concept and by combining the 802.1X technology, Huawei launched the controlled multicast solution to better solve the problem of user management and accounting.

3.5 Complete Overall Solution

Huawei provides a complete 802.1X authentication solution for broadband networks that involves a full line of products such as supplicants, authenticator systems and the authentication servers. The supplicant can be the 802.1X supplicant of Huawei, the supplicant provided with the XP, or the supplicant of any other third party. The authenticator system comprises Quidway S high-, medium- and low-end series, MA5200/5300, etc., while the server includes iTellin, CAMS and others. The

23

Technical White Paper for Huawei 802.1X

Quidway S series devices can terminate the EAP or implement transparent transmission based on the networking requirement and the servers support for EAP.

4 Typical Networking
There are three typical 802.1X networking modes according to the network scale and the requirements for authentication, accounting and management. That is, centralized authentication, peripheral distributed authentication and authentication via the server built in the authenticator system.

4.1 Centralized Authentication

Generally, the centralized authentication is applicable to large- and medium-sized networks. Since they have quite many network devices, the centralized authentication is favorable for management and centralized control of the devices. However, the load of the authenticator system is heavy. See Figure 10. If the Trunk port authentication function is enabled to terminate the user VLAN on the authenticator system, then 4K VLAN resources can be used on a single authenticator system, thus greatly improving the utilization of the VLAN resources and enhancing the user security.
802.1X authentication server AAA

DNS

QuidwayS8512/S8016

IP
QuidwayS6506/6503/S5516

DHCP MA5300/5306 802.1X authenticator system QuidwayS3526/S3526E/FM/FS 802.1X authenticator system 802.1X authenticator system

QuidwayS2008B/S2016B HUB 802.1X client 802.1X client HUB

Figure 10 Centralized authentication networking of 802.1X

24

Technical White Paper for Huawei 802.1X

4.2 Peripheral Distributed Authentication

For networks with complex structures, the authentication operation can be distributed so that the authentication load is evenly shared by multiple authenticator systems. Of course, such distributed authentication will result in distributed network management. See Figure 11.

802.1X authentication server (e.g. CAMS) AAA

Quidway S6506/S8016 QuidwayS5516

DNS

DHCP

QuidwayS3526/S3526E/FM/FS

QuidwayS3026/S3026E/FM/FS 802.1X authenticator system QuidwayS3026/S3026E/FM/FS 802.1X client 802.1X authenticator system 802.1X client

Figure 11 Distributed authentication networking of 802.1X

For the network environment in which the access and the convergence are physically far from each other, the peripheral distributed authentication can reduce the transmission bandwidth seized by the authentication control streams.

4.3 Authentication via the Built-in Server

In view of the cost of some small networks, procuring special authentication servers will add to the network cost. This problem can be well solved by adopting authentication via the server built in the authenticator system. Of course, these modes can be combined in different layers and at different offices of the same network based on the specific conditions. In addition, the layer of the authenticator system shown in the figure may change with the network scale. For example, the S6000 series may be in the convergence layer in a large network. In a medium-/small-sized network, the S6000 may be in the core layer while the S3500 series play the role in the convergence layer.

25

Technical White Paper for Huawei 802.1X

4.4 Service Application: VLAN Sending

The service environment of the user is shown in Figure 12. 1) After accessing the campus network, the user clicks the 802.1x dialer on his PC terminal to send the data packet carrying the user name and password to the L2 switch S3026/2403H/2016/2008. The L2 switch then transparently transmits the EAP packet to the L3 switch S6506/5516/3526, which terminates the EAP and converts it into a standard RADIUS packet or forwards the EAP packet to the CAMS. 2) On one hand, after confirming that the user is legal, the CAMS sends the VLAN to the L3 switch (e.g. S3526) according to the account-VLAN correspondence information preset in the CAMS. The S3526 then forwards the VLAN value to the L2 switch (e.g., S2403H), which gets the packets and determines the VLAN ID of the port connected with the user accordingly. On the other hand, after the user is authorized, the CAMS can get the IP address via the DHCP server associated with the VLAN virtual interface. 3) Through the above process, the user gets a corresponding IP address via his account. Account is the unique ID of a user. The correspondence between the user and the IP address (or network segment) is implemented in this way. After the user gets a legal IP address, all the upper level devices (backbone switches, routers, etc.) can implement the corresponding policies and control on the users access right, access path and route through the users IP address (indirect correspondence with the account), thus implementing uniform management of all the users in the campus networks.
CAMS iManager/ iManager/ Quidview Quidview

CAMS sends the VLAN information

S6506/5516/S3526

S6506/5516/S3526 S2403

S3026

S2008/2016

User authentication information

Figure 12 802.1X-based VLAN sending application

26

Technical White Paper for Huawei 802.1X

5 Conclusion and Prospect

Through the above example and analysis, we can see that the 802.1X solution of Huawei provides a complete product series, excellent service support capabilities and flexible networking solutions. As the fast development of MANs and campus networks and the rapid popularization of WLAN, the 802.1X solution that features deployment economy and low device overhead will serve more and more people.

27