802.1X operates in the typical client/server model and defines three entities: supplicant system, authentication system, and authentication server system:

• Supplicant System: It is required to access the LAN, and enjoy the services provided by the Switch equipment (such as PC), the client needs to support EAPOL agreement, and the client must run the IEEE 802.1X authentication client software.

• Authentication System: In the Ethernet system, the authentication Switch is mainly used to upload and deliver user authentication information and control whether the port is available according to the authentication result. As if between the client and the authentication server to act as a proxy role.

• Authentication Server: Normally refers to the RADIUS server. RADIUS checks the identity of the client (user name and password) to determine whether the user has the right to use the network system to provide network services. After the end of the authentication, results will be sent to the Switch.

The above systems involve three basic concepts: PAE, controlled port, control direction:

• PAE: Port Access Entity (PAE) refers to the entity that performs the 802.1x algorithm and protocol operations.

  PAE is the entity responsible for performing algorithms and protocol operations in the authentication mechanism. The PAE uses the authentication server to authenticate the clients that need to access the LAN, and controls the authorized / unauthorized status of the controlled ports accordingly according to the authentication result. The client PAE responds to the authentication request from the device and sends the user authentication information to the device. The client PAE can also send the authentication request and the offline request to the device.

• Controlled port and uncontrolled port: An authenticator provides ports for supplicants to access the LAN. Each of the ports can be regarded as two logical ports: a controlled port and an uncontrolled port.

  • The uncontrolled port is always enabled in both the ingress and egress directions to allow EAPOL protocol frames to pass, guaranteeing that the supplicant can always send and receive authentication frames.

  • The controlled port is enabled to allow normal traffic to pass only when it is in the authorized state.

  • The controlled port and uncontrolled port are two parts of the same port. Any frames arriving at the port are visible to both of them.

• Control direction: In the non-authorized state, the controlled port is set to one-way controlled: the implementation of one-way controlled, prohibits the receiving frame from the client, but allows the client to send frames.

• Port controlled manner

  • Port-based authentication: As long as the first user authentication is successful under the physical ports, other access users without authentication can use the network source, when the first user is off line, other users will be refused to use network.

  • MAC-address-based authentication: All the users on the physical port need to be authenticated separately. When userA goes offline, only the userA cannot use the network.

The 802.1x authentication system employs the Extensible Authentication Protocol (EAP) to exchange authentication information between the supplicant PAE, authenticator PAE, and authentication server.

At present, the EAP relay mode supports four authentication methods: EAP-MD5, EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled Transport Layer Security), and PEAP (Protected Extensible Authentication Protocol).

Switch supports EAP-Transfer mode and EAP-Finish mode to interactive with remote RADIUS server to finish the authentication.

• Authentication Process: The following takes EAP-Transfer authentication process for an example to introduce the basic service procedure.

  The authentication process is as follows:

  • When the user needs to access the network, it will input the registered user name and password through the 802.1X client and initiate the connection request (EAPOL-Start packet). At this point, the client program sends the request message to the device, start an authentication process.

  • After receiving the requested data frame, the access device sends out a request frame (EAP-Request/Identity packet) to ask the user's client program for the user name.

  • The client responds to the request from the device and sends the user name information to the device through the data frame (EAP-Response/Identity packet). The device encapsulates the RADIUS Access-Request packet and then sends it to the authentication server for processing after receiving the data frame packet from the client.

  • After receiving the user name information from the device, the RADIUS server compares the information with the user name table in the database, finds the corresponding password information, and encrypts it with a randomly generated encryption key. And it sends the encrypted keyword to the device through a RADIUS Access-Challenge packet. The message is then forwarded by the device to the client.

  • After receiving the EAP-Request/MD5 Challenge packet, the client encrypts the encrypted part (this encryption algorithm is usually irreversible) and generates the EAP-Response/MD5 Challenge packets and pass the authentication packets to the authentication server.

  • The RADIUS server compares the received encrypted information (RADIUS Access-Request packet) with the local encrypted password information. If the password is the same, the RADIUS server considers the user to be a valid user and sends out the message-Accept and EAP-Success).

  • After receiving the authentication message, the device changes the port to the authorized state, allowing the user to access the network through the port.

• EAP-Finsh: In this way, EAP packets are terminated at the device end and are mapped to RADIUS packets. The RADIUS server uses the standard RADIUS protocol to complete authentication, authorization, and accounting. The PAP or CHAP authentication method can be adopted between the device and the RADIUS server. Our Switch defaults to this mode. The following takes the CHAP authentication method as an example to describe the basic service flow, as shown below:

  The EAP termination mode differs from the authentication process of EAP relay mode in that a random encryption key for encrypting the user's password information is generated by the device, and then the device encrypts the user name, the random encryption key, and the encrypted password information of the client to the RADIUS server, and perform the related authentication process.