802.1X Port-Based Authentication HOWTO (2023)

1.1. What is 802.1X?

The 802.1X-2001 standard states:

Port-based network access control takes advantage of the physical access characteristics of IEEE 802 LAN infrastructures to provide a wayauthenticityInauthorizedevices connected to a LAN port with point-to-point and from connection featuresprevent accesson this port in cases where authentication and authorization fail. A port in this context is a single point of connection to the LAN infrastructure."--- 802.1X-2001, p.

1. When a new wireless node (WN) requests access to a LAN resource, the access point (AP) requests the identity of the WN.No non-EAP traffic is allowed before the WN is verified (the"sea port"Is closed).

   The wireless node requesting authentication usually appears in the listthey are begging, although it is more correct to say that the wireless hubcontainsa supplicant. The supplicant is responsible for responding to the Authenticator data that will establish their credentials. The same goes for the access point. HeThe authenticator isnot the access point. Instead, the access point contains an authentication. The authenticator does not even need to be at the access point. it may be an external component.

   EAP, the protocol used for authentication, was originally used for PPP over dial-up. Identity was PAP or CHAP username and authentication [RFC1994] was used to verify the user's password. As long as the identity is sent in the clear (unencrypted), a malicious probe can learn the identity of the user."Hide identity"Therefore, it is used; the real identity is not sent until the TLS encrypted tunnel is up.

2. After submitting the ID, the authentication process begins. The protocol used between the supplicant and the authentication tool is EAP, or more precisely EAP Encapsulation over LAN (EAPOL). The authenticator re-encapsulates the EAP messages in RADIUS format and forwards them to the authentication server.

   During authentication, the authenticator only forwards packets between the supplicant and the authentication server. When the authentication process is complete, the authentication server sends a success (or error, if authentication failed) message.The authenticator then opens it."sea port"for the petitioner.

3. After successful authentication, the supplicant can access other LAN/Internet resources.

see the figure802.1Xfor an explanation.

why is it called"sea port"based authentication? authenticator manipulationssquaredInsin controlports Both controlled and uncontrolled ports are logical entities (virtual ports), but they use the same physical connection to the LAN (same connection point).

Before authentication, it's just the port not selected"Open". The only movement allowed is EAPOL. See Verifier System 1 in the imagesea ​​port. After the supplicant is authenticated, the controlled port is opened and access to other LAN resources is granted. see the Authentication System 2 in the imagesea ​​port.

802.1X plays an important role in the new IEEE 802.11i wireless standard.

1.2. What is 802.11i?

1.3. What is EAP?

Extensible Authentication Protocol (EAP) [RFC 3748] is just the transport protocol optimized for authentication, not the authentication method itself:

"[EAP is] an authentication framework that supports multiple authentication methods. EAP typically runs directly on data link layers, such as Point-to-Point Protocol (PPP) or IEEE 802, without the need for IP. EAP provides its own support for deduplication and relaying, but it is based on lower order guarantees. Hashing is not supported by EAP itself, however individual EAP methods may support it."--- RFC 3748, page 3

1.4. EAP authentication method

Since 802.1X uses EAP, many different authentication schemes can be added, including smart cards, Kerberos, public key, one-time passwords, and others.

Some of the most commonly used EAP authentication mechanisms are listed below. A full list of registered EAP authentication types is available from IANA:http://www.iana.org/assignments/eap-numbers.

Not all authentication mechanisms are considered secure!

• EAP-MD5:MD5-Challenge requires username/password and is equivalent to PPP CHAP [RFC1994]. This method is not resistant to dictionary attacks, mutual authentication, or key extraction, and is therefore of little use in a wireless authentication environment.

• Light EAP (JUMP):A username and password combination is sent to an authentication server (RADIUS) for authentication. Leap is a proprietary protocol developed by Cisco and is not considered secure. Cisco is moving away from LEAP in favor of PEAP. You can find the closest one in a published standardhere.

• EAP-TLS:Establishes a TLS session within EAP between the supplicant and the authentication server. Both the server and the client need a valid certificate (x509) and therefore a PKI. This method provides two-way authentication. EAP-TLS is described in [RFC2716].

• EAP-TTLS:Set up an encrypted TLS tunnel for the secure transfer of authentication data. Other authentication methods (if any) can be used within the TLS tunnel. It was developed by Funk Software and Meetinghouse, and is currently an IETF concept.

• EAP Protegido (PEAP):It uses an encrypted TLS tunnel like EAP-TTLS. Requesting certificates for EAP-TTLS and EAP-PEAP is optional, but server (AS) certificates are required. It was developed by Microsoft, Cisco, and RSA Security and is currently an IETF concept.

• EAP-MSCHAPv2:It requires a username/password and is essentially an EAP encapsulation of MS-CHAP-v2 [RFC2759]. It is normally used in a PEAP encrypted tunnel. It was developed by Microsoft and is currently an IETF concept.

1.5. What is RADIO?

The Remote Authentication Dial-in User Service (RADIUS) is defined in [RFC2865] (with friends), and was mainly used by ISPs that verified the username and password before allowing the user to use the ISP's network.

802.1X does not specify what kind of back-end authentication server there should be, but RADIUS is the "de facto" back-end authentication server used in 802.1X.

There are not many AAA protocols available, but both RADIUS and DIAMETER [RFC3588] (including its extensions) comply with full AAA support. AAA stands for Authentication, Authorization, and Accounting (IETF AAA Working Group).

The purpose of this license is to make a functional and useful manual, manual, or other document "free" in the sense of freedom: to grant everyone real freedom to copy and redistribute it, with or without modification, commercially or otherwise. -commercially. Second, this License provides a way for the author and publisher to take credit for their work, without being responsible for changes made by others.

This License is a kind of "copyleft", which means that derivative works of the document itself must be free in the same sentence. It supplements the GNU General Public License, a copyright license designed for free software.

We designed this License to be used in manuals for free software because free software needs free documentation: a free program must come with manuals that allow the same freedoms as the software. But this License is not limited to software manuals. it can be used for any text work, regardless of its subject matter or whether it has been published as a printed book. We recommend this License primarily for works intended for instruction or reference.

This License applies to any manual or other work, in any medium, that contains a notice published by the copyright owner that it may be distributed under the terms of this License. This notice grants a worldwide, unrestricted, royalty-free license to use this work subject to the terms and conditions set forth herein. "Document" below refers to such manuals or works. Each member of the public is a licensee and is referred to as "you". You agree to the license if you copy, modify, or distribute the work in any way that requires permission under copyright law.

"Modified Version" of the Document means any work containing the Document or any part thereof, copied verbatim or modified and/or translated into another language.

A "minor section" is a named appendix or body of the document that deals solely with the relationship of the editors or authors of the document to the overall topic of the document (or related topics) and does not contain anything directly relevant to that overall topic. . (Thus, if the document is part of a mathematics textbook, a secondary part may not explain the mathematics.) The relationship may be a historical relationship to the related issue(s), or a related legal, business, philosophical, ethical, or political position. them .

"Invariant Sections" are certain Subsections whose titles are designated as Invariant Sections in the notice stating that the Document is issued under this License. If a section does not meet the above definition of Minor, it should not be marked as No Change. The document can contain zero immutable sections. If the document specifies invariant sections, they do not exist.

"Cover Texts" are certain short passages of text listed as Front Cover Texts or Back Cover Texts in the notice indicating that the Document is issued under this License. A front cover text can have a maximum of 5 words and a back cover text can have a maximum of 25 words.

A "clear" copy of the Document means a machine-readable copy, rendered in a format the specification of which is generally available to the public, suitable for immediate review of the Document using general-purpose word processors or (for composite pixel images) general specific purpose drawing programs or (for drawings) a commonly available drawing editor suitable for input into text formatting programs or for automatic translation into a variety of formats suitable for input into text formatting programs. A copy created in a transparent file format whose formatting or lack of formatting is arranged to prevent or discourage further modification by readers is not transparent. An image format is not transparent if it is used for a significant amount of text. A copy that is not "Transparent" is called "Opaque".

Examples of suitable transparent copy formats include plain plain ASCII, Texinfo input format, LaTeX input format, SGML or XML format using a publicly available DTD, and standards-compliant plain HTML, PostScript, or PDF designed for human modification. Examples of transparent image formats are PNG, XCF, and JPG. Opaque formats include proprietary formats that can only be read and processed by proprietary word processors, SGML or XML for which DTD and/or processing tools are not generally available, and the HTML, PostScript or PDF engine used by some word processors for production purposes. only.

"Title page" means, for a printed book, the title page itself, plus such subsequent pages as are necessary to legibly contain the material required by this License to appear on the title page. For works in formats that do not have a proper title page, "Title Page" means the text near the most prominent occurrence of the title of the work, before the beginning of the body of text.

A "Tile XYZ" section means a named subsection of the Document whose title is exactly XYZ or contains XYZ in parentheses after text that translates XYZ into another language. (Here XYZ means a specific section name listed below, such as "Acknowledgments," "Dedications," "Suggestions," or "History.") "Keep title" of that section when you modify the document means it's a " Titled XYZ" remains with this definition.

The document may contain warranty disclaimers in addition to the notice that this license applies to the document. These warranty disclaimers are deemed to be incorporated by reference into this license, but only for the purpose of disclaiming warranties: any other effect these warranty disclaimers may have is void and does not affect the meaning of this license.

You may copy and distribute the Document in any medium, commercial or non-commercial, provided that this License, the copyright notices, and the license notice that this license applies to the Document are reproduced in all copies and that you do not add no other term. to those of this document. Permission. You may not use any technical measures to prevent or control further reading or copying of the copies you create or distribute. However, you may accept compensation in exchange for the copies. If you distribute a sufficient number of copies, you must also comply with the requirements of Section 3.

You may also lend copies, under the same conditions as above, and you may publicly display copies.

If you publish more than 100 printed copies (or copies in media that typically have hard covers) of the Document and the Document's license statement requires cover pages, you must include the copies on cover pages that clearly show all such cover pages. and contains legible: texts from cover to cover and texts from back cover to back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The title page must show the full title, with all the words of the title equally prominent and visible. You can also add other material to the covers. The copy with changes limited to the covers, as long as the title of the Document is preserved and these conditions are met, can be considered a verbatim copy.

If the texts required for any of the covers are too long to fit legibly, you should place the first of the list (as far as it reasonably fits) on the actual cover and continue the rest on the adjacent pages.

If you post or distribute more than 100 opaque copies of the document, you must include a transparent machine-readable copy with each opaque copy or indicate on or with each opaque copy a computer network location accessible to the general public using the network. to download a complete transparent copy of the document, without additional material, using standard public network protocols. If you use the latter option, you must take reasonable precautions when you begin to distribute Opaque Copies in bulk to ensure that this Opaque Copy remains accessible at the designated location for at least one year after the last distribution (either directly or through agents). or retailers) an opaque copy of this number to the public.

You are requested, but not required, to contact the authors of the Document well in advance of redistributing a large number of copies to give them an opportunity to provide you with an updated version of the Document.

You may copy and distribute a Modified Version of the Document in accordance with the terms of paragraphs 2 and 3 above, provided that you publish the Modified Version in accordance with this same License, the Modified Version assumes the role of the Document, which allows you to distribute and modify the Modified Edition licenses to any person who has a copy of it. Also, you need to do these things in the modified version:

1. On the title page (and title pages, if applicable), use a title that differs from the document and previous editions (which, if applicable, should appear in the Document History section). You may use the same title as an earlier version if the original publisher of that version gives permission.

2. List as authors on the cover page one or more persons or entities responsible for authoring the changes in the modified version, along with at least five of the main authors of the document (all main authors, if fewer than five), unless that you exempt from this requirement.

3. On the title page, indicate the name of the publisher of the revised edition as editor.

4. Please retain all copyright notices in the document.

5. In addition to other copyright notices, please include an appropriate copyright notice for your changes.

6. Include, immediately after any copyright notices, a license notice granting the public a license to use the Modified Version under the terms of this License, in the form that it appears onSupplementbelow.

7. Please retain in this license notice the complete list of Invariant Sections and required cover text as specified in the Document's license notice.

8. Include an unmodified copy of this License.

9. Keep the section titled "History," keep its title, and add an entry to it that provides at least the title, year, new authors, and publisher of the revised edition as indicated on the title page. If there is no section titled "History" in the document, create a section that lists the document's title, year, authors, and publisher as indicated on the title page, and then add an entry identifying the modified version. as mentioned in the previous sentence.

10. Please retain the network location, if any, provided in the Document for public access to a transparent copy of the Document and, similarly, the network locations provided in the Document for earlier versions on which you relied. These can be placed in the "History" section. You may omit a network location for a work published at least four years before the Document itself, or if the original publisher of the referenced publication consents.

11. For any section titled "Acknowledgments" or "Dedications", you retain the section title and retain in the section all of the content and tone of each acknowledgment and/or dedication made therein.

    (Video) CCNA Security | Configuring 802.1x Port Based Authentication

12. Keep all Invariant Sections of the Document unchanged in their text and titles. Section numbers or their equivalent are not considered part of section titles.

13. Delete any section titled "Tips." This section may not be included in the Modified Version.

14. Do not change the title of an existing section to "Tips" or create a title conflict with an unchanged section.

15. Save any warranty disclaimers.

If the Modified Edition contains new front sections or appendices that qualify as subsections and do not contain material copied from the Document, you may, in your sole discretion, designate some or all of those sections as unchanged. To do this, add your titles to the Unchanged Sections list in the Modified Version license notice. These titles must be different from all other section titles.

You may include a section titled "Suggestions" as long as it contains no more than endorsements of your Multipart Modified Version, for example, peer review statements, or the text has been approved by an organization as the authoritative definition of a model .

You can add a citation of up to 5 words for the front cover text and a citation of up to 25 words for the back cover text at the end of the cover text list in the edited version. An entity can only add (or accept) one excerpt from the front cover text and one from the back cover text. If the Document already contains cover text for the same cover, previously added by you or organized by the same entity on whose behalf you are acting, you will not be able to add another one. but you may replace the above with the express permission of the above publisher who added the above.

The authors and publishers of the Document do not grant permission under this License to use their names for publicity purposes or to state or imply that they endorse any Modified Version.

You may combine the Document with other documents issued under this License subject to the conditions set forth inSection 4above for modified versions, provided that you include in the combination all unaltered Sections of all original documents, unaltered, and that you refer to all of them as Unaltered Sections of your combined work in your license notice and that you retain all Statements of warranty.

The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced by a single copy. If there are multiple invariant sections with the same name but different content, make each section title unique by appending at the end, in parentheses, the name of the original author or editor of that section, if known, or otherwise a unique number. Make the same adjustment to the section titles in the list of Sections without changes in the license notice for the combined work.

In the merge, you must combine all the sections titled "History" in the various original documents into one section titled "History". Also combine all sections titled "Acknowledgments" and all sections titled "Dedications." You should remove all sections titled "Tips."

You may create a collection consisting of the Document and other documents issued under this License and replace individual copies of this License in the various documents with a single copy that is part of the collection, provided you follow the rules of this Permission to Copy Word per word. any of the documents in any other respect.

You may extract a single document from such a collection and distribute it separately in accordance with this License, provided that you place a copy of this License in the extracted document and follow this License in all other respects relating to verbatim copying of this document.

A collection of the Document or its derivatives with other separate and independent documents or works, on any storage or distribution media, is called a "compilation" if the copyright resulting from the compilation is not used to infringe legal rights. of the users of the collection. in addition to the individual work permit. When the Document is included in a compilation, this License does not apply to the other works in the compilation that are not themselves derivative works of the Document.

If the cover text requirement of Section 3 applies to those copies of the Document, then if the Document constitutes less than one half of the set, the Document title pages may be placed on title pages that enclose the Document as a whole, or on the electronic equivalent of folders if the Document is in electronic format. Otherwise, they must appear on the printed covers that enclose the set.

Translation is considered a type of modification, so you may distribute translations of the Document under the terms of Section 4. Replacing Invariant Sections with translations requires special permission from the copyright holders, but you may add translations of some or all Invariant Sections plus the original versions of these sections without changes. You may include a translation of this License and any license notices in the Document and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of such notices and disclaimers. In the event of a conflict between the translation and the original version of this License or any notice or disclaimer, the original version shall control.

If a section of the document is titled Acknowledgments, Acknowledgments, or Background, the requirement (section 4) to retain the title (section 1) generally requires that the actual title be changed.

You may not copy, modify, sublicense, or distribute the Document except as expressly provided in this License. Any other attempt to copy, modify, incorporate or distribute the Document is void and will automatically terminate your rights under this License. However, the license of the parties that have received copies or rights from you under this License will not be terminated, as long as those parties continue to comply in full.

The Free Software Foundation may periodically publish new and revised versions of the GNU Free Documentation License. Such new releases will be similar in spirit to the current release, but may differ in detail to address new issues or concerns. See http://www.gnu.org/copyleft/.

Each edition of the License is assigned a distinctive edition number. If the Document specifies that a particular numbered version of this License "or any later version" applies, you may choose to follow the terms of that specified version or any later version published (not as a draft) by the FreeSoftware Foundation. If the Document does not specify the version number of this License, you may select any version published (not as a draft) by the Free Software Foundation.

To use this License in a document that you authored, include a copy of the License with the document and place the following copyright and license notices immediately after the title page:

Copyright (c) YEAR YOUR NAME. Permission to copy, distribute, and/or modify this document is granted under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation. without fixed sections, without texts on the front cover and without texts on the back cover. A copy of the license is included in the section titled "GNU Free Documentation License".

If you haven't changed the sections, front cover texts, and back cover texts, replace "with... texts". rule with him:

where the invariant sections are LIST THEIR HEADINGS, where the Front Cover Texts are LIST, and where the Back Cover Texts are LIST.

(Video) IEEE 802.1X | Understanding 802.1X Authentication | What is IEEE 802.1X and How does 802.1X work?

If you have immutable sections without cover texts or some other combination of the three, merge these two alternatives to suit the situation.

If your document contains non-trivial code samples, we recommend that you publish those samples together with a free software license of your choice, such as the GNU General Public License, to enable their use in free software.