IEEE 802.1X: EAP over LAN (EAPOL) for LAN/WLAN Authentication & Key Management

原文地址:http://www.javvin.com/protocol8021X.html

 

The IEEE 802.1X offers an effective framework for authenticating and controlling user traffic to a protected network, as well as dynamically varying encryption keys. 802.1X ties a protocol called EAP (Extensible Authentication Protocol) to both the wired and wireless LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication. 

In the 802.1x architecture, there are three key components: 1) Supplicant: the user or client that wants to be authenticated; 2) The authentication server, typically a RADIUS server; 3) The authenticator: the device in between, such as a wireless access point, which can be simple and dumb.

The key protocol in 802.1x is called EAP over LANs (EAPOL). It is currently defined for Ethernet-like LANs including 802.11 wireless, as well as token ring LANs (including FDDI). The operation process in 802.1X is as follow:

  1. The supplicant (such as a client wireless card) sends an "EAP-Response/Identity" packet to the authenticator (such as 802.11 access point), which is then passed on to the authentication server (RADIUS server which is located at the wired side of the access point).
  2. The authentication server sends back a challenge to the authenticator. The authenticator unpacks this from IP and repackages it into EAPOL and sends it to the supplicant.
  3. The supplicant responds to the challenge via the authenticator and passes the response onto the authentication server. The authentication server uses a specific authentication algorithm to verify the client's identity. This could be through the use of digital certificates or other EAP authentication type.
  4. If the supplicant provides proper identity, the authentication server responds with a success message, which is then passed onto the supplicant. The authenticator now opens port for the supplicant to access to the LAN based on attributes that came back from the authentication server.

The 802.1X (EAPOL) protocol provides effective authentication regardless of whether you implement 802.11 WEP keys or no encryption at all. If configured to implement dynamic key exchange, the 802.1X authentication server can return session keys to the access point along with the accept message. The access point uses the session keys to build, sign and encrypt an EAP key message that is sent to the client immediately after sending the success message. The client can then use contents of the key message to define applicable encryption keys.

802.1X (EAPOL) is a delivery mechanism and it doesn't provide the actual authentication mechanisms. When utilizing 802.1X, you need to choose an EAP type, such as Transport Layer Security (EAP-TLS) or EAP Tunneled Transport Layer Security (EAP-TTLS), which defines how the authentication takes place. The specific EAP type resides on the authentication server and within the operating system or application software on the client devices. The access point acts as a "pass through" for 802.1X messages, which means that you can specify any EAP type without needing to upgrade an 802.1X-compliant access point.

 

Protocol Structure - IEEE 802.1X: EAP over LAN (EAPOL) for LAN/WLAN Authentication & Key Management
EAPOL Frame Format for 802.3/Ethernet:

2 bytes 1 byte 1 byte 2 bytes Variable
PAE Ethernet Type Protocol version Packet type Packet Body length Packet Body

  • PAE Ethernet type- PAE (Port Access Entity) Ethernet type contains the Ethernet Type value assigned for use by the PAE.
  • Protocol version - an unsigned binary number, which value is the version of the EAPOL protocol.
  • Packet type- an unsigned binary number, which value determines the type of the packet as follows: a0 EAP-packet; b) EAPOL-Start; c) EAPOL-Logoff; d)EAPOL-Key; e) EAPOL-Encapsulated-ASF-Alert
  • Packet body length- an unsigned binary, which value defines the length in octets of the packet body field.
  • Packet Body - This field is presented if the packet type contains the value EAP-Packet, EAPOL-Key, or EAP-Encapsulated-ASF-Alert, otherwise, it is not presented.

EAPOL Frame Format for Token Ring /FDDI:


8 bytes 1 byte 1 byte 2 bytes Variable
SNAP Ethernet Type Protocol version Packet type Packet Body length Packet Body

  • SNAP Ethernet Type- contains the SNAP-encoded Ethernet type encoded in the SNAP format as follows: 1-3 bytes carry the standard SNAP header; 4-6 bytes carry the SNAP PID; 7-8 bytes carry the PAE Ethernet Type value.

Related Protocols
Ethernet , EAP , RADIUS , Token Ring

Sponsor Source
EAPOL (802.1X) is defined by IEEE (http://www.ieee.org ).

Reference
http://standards.ieee.org/getieee802/download/802.1X-2001.pdf : Port based Network Access Control

你可能感兴趣的:(802.1x)