IEEE 802.1X是IEEE制定关于用户接入网络的认证标准(注意:此处X是大写),全称是“基于端口的网络接入控制”,属于IEEE 802.1网络协议组的一部分。于2001年标准化,之后为了配合无线网络的接入进行修订改版,于2004年完成。它为想要连接到LAN或WLAN的设备提供了一种认证机制。
IEEE 802.1X is an IEEE Standard for Port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.
IEEE 802.1X协议在用户接入网络(可以是以太网/802.3或者WLAN网)之前运行,运行于网络中的数据链路层,EAP协议RADIUS协议。
IEEE 802.1X定义了在IEEE 802上运行EAP(即"EAP over LAN"或EAPOL)的封装方式。EAPOL协议在802.1X-2010中还进行了修改,以支持服务识别和在本地LAN段上的可选点对点加密。
IEEE 802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802, which is known as "EAP over LAN" or EAPOL.
802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server.
申请者(如客户端设备)不允许通过验证者访问到受保护一侧的网络,直到申请者的身份被验证和授权。这就像是允许进入一个国家之前要在机场的入境处提供一个有效的签证一样。使用802.1X基于端口的验证,申请者向验证者提供凭据,如用户名/密码或者数字证书,验证者将凭据转发给验证服务器来进行验证。如果验证服务器认为凭据有效,则申请者(客户端设备)就被允许访问被保护侧网络的资源。
EAP数据首先被封装在EAPOL帧中,传输于申请者(Supplicant)和验证者(Authenticator)之间。随后又封装在RADIUS或Diameter,传输于验证者和验证服务器(Authentication server)之间。
EAP data is first encapsulated in EAPOL frames between the Supplicant and Authenticator, then re-encapsulated between the Authenticator and the Authentication server using RADIUS or Diameter.
Typical authentication progression
- Initialization On detection of a new supplicant, the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as the Internet Protocol (and with that TCP and UDP), is dropped.
- Initiation To initiate authentication the authenticator will periodically transmit EAP-Request Identity frames to a special Layer 2 address on the local network segment. The supplicant listens on this address, and on receipt of the EAP-Request Identity frame it responds with an EAP-Response Identity frame containing an identifier for the supplicant such as a User ID. The authenticator then encapsulates this Identity response in a RADIUS Access-Request packet and forwards it on to the authentication server. The supplicant may also initiate or restart authentication by sending an EAPOL-Start frame to the authenticator, which will then reply with an EAP-Request Identity frame.
- Negotiation (Technically EAP negotiation) The authentication server sends a reply (encapsulated in a RADIUS Access-Challenge packet) to the authenticator, containing an EAP Request specifying the EAP Method (The type of EAP based authentication it wishes the supplicant to perform). The authenticator encapsulates the EAP Request in an EAPOL frame and transmits it to the supplicant. At this point the supplicant can start using the requested EAP Method, or do an NAK ("Negative Acknowledgement") and respond with the EAP Methods it is willing to perform.
- Authentication If the authentication server and supplicant agree on an EAP Method, EAP Requests and Responses are sent between the supplicant and the authentication server (translated by the authenticator) until the authentication server responds with either an EAP-Success message (encapsulated in a RADIUS Access-Accept packet), or an EAP-Failure message (encapsulated in a RADIUS Access-Reject packet). If authentication is successful, the authenticator sets the port to the "authorized" state and normal traffic is allowed, if it is unsuccessful the port remains in the "unauthorized" state. When the supplicant logs off, it sends an EAPOL-logoff message to the authenticator, the authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.
新加入一个用户->authenticator开个端口,发个eap-request给它->用户回复一个user id->authenticator把这个id转发给authentication server;
用户发送eapol start开始验证->authentication server协调好eap 方法->用户使用eap方法和authentication server进行验证->验证通过eapol success->authenticator打开端口->上网;
注意的是,LAN里面,supplicant和authenticator之间用eap协议; 认证方面,authenticator和authentication server用的是radius和diameter协议;
