Authentication Process Of 802.1X - 3Com MSR 50 Series Configuration Manual

1734 C 92: 802.1
HAPTER X
Authentication Process
of 802.1x
C
ONFIGURATION
Message-Authenticator
Figure 504 shows the encapsulation format of the Message-Authenticator
attribute. The Message-Authenticator attribute is used to prevent access requests
from being snooped during EAP or CHAP authentication. It must be included in
any packet with the EAP-Message attribute; otherwise, the packet will be
considered invalid and get discarded.
Figure 504 Encapsulation format of the Message-Authenticator attribute
0
Type
802.1x authentication can be initiated by either a supplicant or the authenticator
system. A supplicant initiates authentication by launching the 802.1x client
software to send an EAPOL-Start frame to the authenticator system, while the
authenticator system sends an EAP-Request/Identity packet to an unauthenticated
supplicant when detecting that the user is trying to login.
An 802.1x authenticator system communicates with a remotely located RADIUS
server in two modes: EAP relay and EAP termination. The following description
takes the first case as an example to show the 802.1x authentication process.
EAP relay
EAP relay is an IEEE 802.1x standard mode. In this mode, EAP packets are carried
in an upper layer protocol, such as RADIUS, so that they can go through complex
networks and reach the authentication server. Generally, EAP relay requires that
the RADIUS server support the EAP attributes of EAP-Message and
Message-Authenticator.
At present, the EAP relay mode supports four authentication methods: EAP-MD5,
EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled Transport Layer Security),
and PEAP (Protected Extensible Authentication Protocol).
EAP-MD5: EAP-MD5 authenticates the identity of a supplicant. The RADIUS
■
server sends an MD5 challenge (through an EAP-Request/MD5 Challenge
packet) to the supplicant. Then the supplicant encrypts the password with the
offered challenge.
EAP-TLS: With EAP-TLS, a supplicant and the RADIUS server verify each other's
■
security certificates and identities, guaranteeing that EAP packets are sent to
the intended destination and thus preventing network traffic from being
snooped.
EAP-TTLS: EAP-TTLS extends EAP-TLS. EAP-TLS allows for mutual
■
authentication between a supplicant and the authentication server. EAP-TTLS
extends this implementation by transferring packets through the secure tunnels
set up by TLS.
PEAP: With PEAP, the RADIUS server sets up TLS tunnels with a supplicant
■
system for integrity protection and then performs a new round of EAP
negotiation with the supplicant system for identity authentication.
Figure 505 shows the message exchange procedure with EAP-MD5.
1 2
Length
18 bytes
String