Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1X
Table of Contents
1 Overview....................................................................................................................................1 2 Basic Operating Mechanism of 802.1X.....................................................................................1 2.1 System Architecture ..........................................................................................................1 2.1.1 Port PAE.................................................................................................................2 2.1.2 Controlled Port........................................................................................................3 2.1.3 Controlled Direction ................................................................................................3 2.2 Operating Mechanism .......................................................................................................4 2.3 Authentication Procedure ..................................................................................................4 3 Characteristics of Huaweis 802.1X ..........................................................................................5 3.1 Authentication Trigger .......................................................................................................5 3.1.1 Standard EAP Trigger .............................................................................................6 3.1.2 DHCP Trigger .........................................................................................................6 3.1.3 Proprietary Trigger of Huawei..................................................................................6 3.1.4 Trigger by the Supplicants Static IP Address ..........................................................6 3.2 Authentication Mode .........................................................................................................7 3.2.1 PAP........................................................................................................................7 3.2.2 CHAP .....................................................................................................................7 3.2.3 EAP........................................................................................................................7 3.3 Authentication Server......................................................................................................11 3.3.1 EAP Termination Mode .........................................................................................11 3.3.2 EAP Relay Mode...................................................................................................12 3.3.3 Built-in Authentication Server ................................................................................13 3.4 Security Management and Service Control......................................................................13 3.4.1 MAC-based User Feature Identification.................................................................13 3.4.2 User Feature Binding ............................................................................................13 3.4.3 Supplicant Version Detection ................................................................................14 3.4.4 Transparent Transmission of Messages ................................................................15 3.4.5 Dynamic User Binding...........................................................................................15 3.4.6 Guest VLAN..........................................................................................................16 3.4.7 Re-authentication..................................................................................................16 3.4.8 Proxy Detection ....................................................................................................17 3.4.9 IP Address Management.......................................................................................19 3.4.10 Port-based User Capacity Limit ...........................................................................20 3.4.11 Trunk Port Authentication....................................................................................20 3.4.12 User Service Sending .........................................................................................21 3.4.13 Unique Handshake Mechanism...........................................................................22
1
3.4.14 802.1X-based Controlled Multicast ......................................................................23 3.5 Complete Overall Solution...............................................................................................23 4 Typical Networking .................................................................................................................24 4.1 Centralized Authentication...............................................................................................24 4.2 Peripheral Distributed Authentication...............................................................................25 4.3 Authentication via the Built-in Server ...............................................................................25 4.4 Service Application: VLAN Sending.................................................................................26 5 Conclusion and Prospect .......................................................................................................27
Abstract As a port-based security mechanism of user access control, 802.1X features low cost, good service continuity and expandability, and high security and flexibility. Since it formally became one of the IEEE 802 series standards in June 2001, it has been quickly and widely supported and acknowledged by equipment manufacturers including Huawei, various network operators and end users. This White Paper introduces the basic concepts and technical principles of 802.1X as well as the characteristics and networking of Huaweis 802.1X solution. Key Words 802.1X controlled port RADIUS supplicant authenticator system
Abbreviations
802.1X RADIUS PAP CHAP EAP MD5 PAE CAR AP PEAP EAP-TLS IEEE 802.1X standard Remote Authentication Dial In User Service Password Authentication Protocol Challenge Handshake Authentication Protocol Extensible Authentication Protocol
Message-Digest Algorithm 5
Port Authentication Entity Committed Access Rate Access Point Protected EAP EAP-Transport Layer Security
1 Overview
The full name of 802.1X is Port-Based Networks Access Control. As a port-based user access control mechanism, 802.1X features low cost, good service continuity and expandability, and high security and flexibility. Since it formally became one of the IEEE 802 series standards in June 2001, it has been quickly and widely supported and acknowledged by equipment manufacturers including Huawei, various network operators and end users. The LAN defined by the IEEE 802 protocol does not provide access authentication. Generally, a user can access the devices or resources in the network as long as he is connected to the LAN. However, for application scenarios such as telecom access, office buildings, LANs and mobile offices, network administrators hope they can control and configure the access to user devices. Therefore, the requirement for port-based or user-based network access control emerges. At present, the 802.1X technology is widely applied in broadband MANs and campus networks. In the current broadband network construction with fierce competitions, the basic services are similar. Hence, the 802.1X technology and its extended service features usually become the key point. The 802.1X service of Huaweis VRP platform is compatible with the standard. In addition, multiple extensions have been made to it as required.
Supplicant
Authenticator System
Services provided by the authenticator system Controlled port Port unauthorized
Supplicant PAE
LAN/WLAN
The supplicant is an entity located at one end of the point-to-point LAN network segment. It is authenticated by the authenticator system connected to the other end of the network segment. Generally it is a user terminal device. The user initiates 802.1X authentication by starting the supplicant software. The supplicant must support the EAPOL protocol. The authenticator system is an entity located at one end of the point-to-point LAN network segment. It authenticates the entity connected to the other end of the network segment. Generally the authenticator system is a network device supporting the 802.1X protocol. It provides a port for the supplicant to access the LAN. The port can be a physical port (e.g., an Ethernet interface of the Ethernet switch or the access channel of AP) or a logical port (e.g., MAC address of the user or VLAN ID). The authentication server system is an entity providing authentication service for the authenticator system. It is used to implement authentication, authorization and accounting of the user. This White Paper takes the RADIUS server as an example of the authentication server system.
The supplicant PAE responds to the authentication request of the authenticator system and submits the authentication information of the user to the authenticator system. It can also actively send the authentication request and disconnect request to the authenticator system.
Authorized/ unauthorized
Supplicant PAE
EAPOL
Authentication server
Supplicant PAE
EAPOL
EAPOR
RADIUS server
EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request/MD5 Challenge EAP-Response/MD5 Challenge EAP-Success Port authorized Expiry of the handshake timer RADIUS Access-Request (EAP-Response/Identity) RADIUS Access-Challenge (EAP-Request/MD5 Challenge) RADIUS Access-Request (EAP-Response/MD5 Challenge) RADIUS Access-Accept (EAP-Success)
Handshake request packet [EAP-Request/Identity] Handshake response packet [EAP-Response/Identity] ... EAPOL-Logoff
Port unauthorized
Figure 4 Service procedure of the IEEE 802.1X authentication system in the EAP mode
default), so that Windows XP can be authenticated in the case of a static IP address. In Huaweis authenticator system, this trigger mode is mutually exclusive of the DHCP trigger mode. It is implemented via the command line, that is, if the authenticator system enables the DHCP trigger mode, then it will not initiate authentication to the supplicant every N seconds. Otherwise, it will periodically initiate authentication to the supplicant.
3.2.1 PAP
The PAP (Password Authentication Protocol) features password transmission in plain text. Since the 802.1X authentication system does not define the PAP authentication mode, Huawei has extended it (and submitted a national standard in this respect). It has extended one Type (= 0x07 indicates PAP) in RFC 2284 to provide PAP authentication. Since the password is transmitted in plain text, this mode is not highly secure. However, it is compatible with some traditional RADIUS servers.
3.2.2 CHAP
Different from the PAP, the CHAP (Challenge Handshake Authentication Protocol) transmits passwords in cipher text mode. The CHAP authentication of Huaweis 802.1X system complies with RFC1994.
3.2.3 EAP
See RFC2284 for the EAP (Extensible Authentication Protocol). It is the so-called EAP relay authentication mode. The advantage of this authentication mode is that
the challenge and the calculation are completed by the server, thus reducing the load of the authenticator system to a certain extent. The EAP authentication can have multiple types of security control methods, such as MD5 Hash and TLS. The 802.1X system of Huawei supports EAP MD5, EAP TLS and PEAP modes. The following sections give the packet sequences of three authentication mechanisms in the EAP relay forwarding mode (see descriptions in Section 3.3.2):
Supplicant PAE
EAPOL
EAPOR
RADIUS server
EAPOL-Start
EAP-Request/Identity RADIUS Access-Request (EAP-Response/Identity) RADIUS Access-Challenge (EAP-Request/EAP-TLS Start) RADIUS Access-Request (EAP-Response/EAP-TLS client_hello)
EAP-Response/Identity
EAP-Request/EAP-TLS Start
EAP-Response/EAP-TLS client_hello
RADIUS Access-Challenge EAP-Response/EAP-TLS: (EAP-Response/EAP-TLS: TLS server_hello, TLS certificate, TLS server_hello, TLS certificate, TLS server_exchange, TLS certificate_request, TLS server_exchange, TLS certificate_request, TLS server_hello_done TLS server_hello_done)
RADIUS Access-Request EAP-Response/EAP-TLS: TLS certificate, TLS client_key_exchange, [TLS (EAP-Response/EAP-TLS:TLS certificate, TLS certificate_verify] TLS change_cipher_spec, TLS client_key_exchange, [TLS certificate_verify] TLS change_cipher_spec, TLS finished) finished RADIUS Access-Challenge (EAP-Response/EAP-TLS: TLS change_cipher_spec, TLS finished) RADIUS Access-Request (EAP-Response/EAP-TLS) RADIUS Access-Accept (EAP-Success) ......
EAP-Response/EAP-TLS
EAP-Success
3.2.3.3 PEAP
IEEE 802.1X uses EAP to authenticate a network supplicant before allowing it to access the network. The EAP was designed for the PPP connection in the beginning. It allows you to create any authentication mode to authenticate network access. The supplicant requesting access and the server that authenticates the supplicant must first negotiate the specific EAP authentication mode (called EAP type). After they reach an agreement on the EAP type, the EAP allows the access supplicant and the authentication server (generally a RADIUS server) to have unrestricted dialogs. The
dialog consists of the authentication information request of the authentication server and the response from the supplicant. The length and detail of the dialog depends on the EAP type. The EAP is designed to allow the use of the authentication plug-in module on both the access supplicant and the authentication server of a certain connection at the same time. The new EAP type can be supported by installing the EAP type library file at both sides. One advantage of EAP authentication is that it is unnecessary to upgrade the access server so as to support the new EAP type. Although EAP provides flexible authentication, the whole EAP session may be sent as a plain text (unencrypted). Malicious users with media access rights can insert packets to the session, or capture the EAP message from the successful authentication for analysis. This is particularly a problem for wireless connections, since malicious users may be outside the enterprise in wireless connections. the WEP (Wired Equivalent Privacy) is used to encrypt the radio frames. PEAP is an EAP type for solving this security problem. It first creates simultaneous encryption and uses the TLS to protect the integrity of the security path. Then it negotiates a new EAP of another EAP type so as to authenticate the supplicant that attempts to access the network. Since the TLS path protects the EAP negotiation and authentication of the network access attempt, the password-based authentication protocol that is susceptible to offline dictionary attacks can be used in wireless environments for authentication. See Figure 6. The EAP authentication is conducted during the IEEE 802.1X authentication and before
10
Supplicant PAE
EAPOL
EAPOR
RADIUS server
EAPOL-Start
EAP-Response/Identity
EAP-Request/PEAP Start
TLS Channel Established ... EAP-Response(Empty) RADIUS-Access-Request EAP-Response(Empty) RADIUS Access-Challenge (EAP-Request/MD5-Challenge) RADIUS-Access-Request EAP-Response/MD5-Password
EAP-Request/MD5-Challenge EAP-Response/MD5-Password
EAP-Success
......
11
Supplicant PAE
EAPOL EAPOLStart
RADIUS
RADIUS server
EAP-Request/Identity EAP-Response/Identity EAP-Request/MD5 Challenge EAP-Response/MD5 Challenge RADIUS Access-Request (CHAP-Response/MD5 Challenge) RADIUS Access-Accept (CHAP-Success)
EAP-Success
Port authorized Handshake request packet [EAP-Request/Identity] Handshake response packet [EAP-Response/Identity] ... EAPOLLogoff Port unauthorized Expiry of the handshake timer
The advantage of this mode is that the standard RADIUS server can be adopted so that the users existing investment can be protected. This mode is used for communication with the server in both PAP and CHAP.
12
13
1. 2. 3. 4.
Binding of user account + VLANID; Binding of user account + VLANID + port; Binding of user account + VLANID + port + MAC; Binding of user account + VLANID + port + MAC + IP.
After the user initiates the authentication request via the 802.1X supplicant, the LAN switch first sends a version request packet to the supplicant. The supplicant then shall send a response packet that carries the current version information. After receiving the version response packet, the LAN switch gets the version and proceeds with the 802.1X authentication normally. When sending the RADIUS authentication request packet to the CAMS in the end, it puts the version information together with the Identity and the MD5 Password into the hw-User-Notify (26-61)
14
extended attribute of the RADIUS request packet. The CAMS will complete the final version detection. For Huaweis 802.1X supplicant of a new version, after the authenticator system sends the version request packet, the supplicant will send a response packet carrying the version information. The switch will forward the response packet to the CAMS to check the version validity. Therefore, the authentication message flow shown in Figure 8 will not affect the user authentication. For an 802.1X supplicant of other vendors than Huawei, after the authenticator system sends the version request packet, the supplicant will not respond to the version request. Therefore, the authenticator system will always be waiting for the version response packet till it times out (the timeout time depends on the maximum number of version requests sent and the transmission time interval configured by the user). After this, the authenticator system directly jumps to the EAP-Request/Identity status. The above process takes effect only after the supplicant version request command is configured on the switch. If the relevant command is not configured on the switch, the previous 802.1X authentication process will be adopted.
15
Specifically, for a static IP address, after the user passes the authentication, the switch will set the port IP packet to deny all, set a permitted ACL, and allow the users IP packet of IP+MAC+PORT+VLAN to pass. For a dynamic IP address, after the user passes the authentication, the switch will set the port IP packet to deny all, and enable the dhcp-snooping function to snoop the dhcp ack packet. After the dhcp ack packet is received, it sets a permitted ACL and allows the user IP packet of IP+MAC+PORT+VLAN to pass.
3.4.7 Re-authentication
The re-authentication function specified in IEEE Standard for Local and metropolitan area networks - Port-Based Network Access Control is implemented. It is ensured that the authenticator system can initiate re-authentication periodically in the case periodical re-authentication is enabled.
16
If the RADIUS server sends the Termination-Action attribute (Type = 29, only present in the Access-Accept message), the NAS shall take different actions according to different attribute values (0 or 1). If the attribute value is 0, then the user will be forced to get disconnected. If the attribute value is 1, then the Session-Timeout value (Type = 27; its value is a 4-byte 32-bit unsigned integer. This attribute is used to specify the maximum time in seconds for holding the connection between the supplicant and the authenticator system) in the Access-Accept message will be considered as the re-authentication timer interval. If the RADIUS server does not send the Termination-Action attribute but the user enables the global 802.1X authentication and port 802.1X functions and the re-authentication feature, then the authenticator system will consider the default period constant (3600 seconds) as the re-authentication period. Otherwise, the parameter configured by the user will be used as the re-authentication period. If the RADIUS server does not send the Termination-Action attribute and the user does not enable the re-authentication feature, then the authenticator system will not conduct 802.1X re-authentication.
17
Lanswitch
The correlation between the proxy detection function and Huaweis equipment is shown in the following table:
Functional item Detect if proxy is set in IE Detect the other proxy modes Require CAMS Yes No Description The detection of all proxy modes needs the coordination between Huaweis supplicant and Huaweis authenticator system. The CAMS is needed for the detection of the IE proxy setting only.
18
19
subsequent accounting (start, update and end) packets. The server log records the information for management query. For the case of dynamic IP address allocation, the IP address cannot be sent together with the user account to the server in the authentication packet. The authentication of user account + IP address cannot be implemented. Since 802.1X is an L2 authentication protocol, the user cannot get a valid IP address before the authentication succeeds. The 802.1X system of Huawei can send the IP address information to the server in the subsequent accounting update packet and the accounting stop packet.
20
users in all the other VLAN who multiplex this port are authorized accordingly. Therefore, Trunk port authentication cannot be supported. Through further definition of control granularity and relevant processing, Huaweis 802.1X can support Trunk port authentication (MAC-based mode). This function extension does not compromise the consistency of the standard, since the granularity-based further definition is an added function instead of function deduction. In addition, there is no problem as to the interconnection with devices of the other vendors. This feature brings three advantages to the networking: 1. It is quite advantageous to the planning and utilization of VLAN resources. 2. It is advantageous to the centralization of authenticator device layers. 3. The binding of user account + VLAN improves the user security while bringing higher manageability to the operator. For example, medium- and big-sized networks are short of VLAN resources (at most 4K). Since the Trunk port supports authentication, the VLAN termination and authentication can be completed by the device in the convergence layer (or core layer). Thus, by dividing VLANs to a single or a few users and binding them together, the security can be improved for the user and the users can be prohibited from roaming among the VLANs.
21
Integer: The switch adds the port to the corresponding VLAN according to the integer ID sent by the RADIUS authentication server. If the VLAN does not exist, the switch will first create it and then add the port to the VLAN just created. String type: The switch compares the string ID sent by the RADIUS authentication server with the existing VLAN name on the switch. If it finds a match, it will add the port to the corresponding VLAN. Otherwise, the VLAN sending fails, and the user cannot pass the authentication. The support for different VLAN sending modes needs to be configured manually in the domain view. Different sending modes can support different authentication servers. The following is the coordination between the sending modes and the authentication servers.
CAMS Windows2000 IAS ACS Integer Supported Supported Not supported String Not supported Supported Supported
22
The handshake interval is set to 15 seconds by default. If it is set to 30 seconds (or more), it will be inconsistent with the default authwhile timer interval (30s) of the XP supplicant. This will cause the state machine disorder on the switch and will disconnect the user. In fact, trigger by the supplicants static IP address will also cause this problem. To avoid this problem, the authenticator system of Huawei has the following restrictions on the selection of authentication trigger packets: 1. In the case there is no user online, common reqid packets (including the multicast reqid = 1 packet of the switch in every 30s) can trigger authentication. 2. In the case there is no user online, after an eapstart packet (indicating the authentication process has started) is received, the reqid = 1 packet cannot trigger authentication. 3. In the case there is user online, the reqid packet induced by the eapstart packet can trigger authentication, but handshake packets cannot trigger authentication.
23
Quidway S series devices can terminate the EAP or implement transparent transmission based on the networking requirement and the servers support for EAP.
4 Typical Networking
There are three typical 802.1X networking modes according to the network scale and the requirements for authentication, accounting and management. That is, centralized authentication, peripheral distributed authentication and authentication via the server built in the authenticator system.
DNS
QuidwayS8512/S8016
IP
QuidwayS6506/6503/S5516
DHCP MA5300/5306 802.1X authenticator system QuidwayS3526/S3526E/FM/FS 802.1X authenticator system 802.1X authenticator system
24
DNS
DHCP
QuidwayS3526/S3526E/FM/FS
QuidwayS3026/S3026E/FM/FS 802.1X authenticator system QuidwayS3026/S3026E/FM/FS 802.1X client 802.1X authenticator system 802.1X client
For the network environment in which the access and the convergence are physically far from each other, the peripheral distributed authentication can reduce the transmission bandwidth seized by the authentication control streams.
25
S6506/5516/S3526
S6506/5516/S3526 S2403
S3026
S2008/2016
26
27