No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
802.1X Authentication

802.1X Authentication


To resolve wireless local area network (LAN) security issues, the Institute of Electrical and Electronics Engineers (IEEE) 802 LAN/wide area network (WAN) committee developed the 802.1X protocol. Later, the 802.1X protocol was widely applied as a common access control mechanism on LAN interfaces for authentication and security on Ethernet networks.

The 802.1X protocol is an interface-based network access control protocol. It controls users' access to network resources by authenticating the users on access interfaces.

As shown in Figure 4-3, an 802.1X system uses a standard client/server architecture with three components: client, access device, and authentication server.

Figure 4-3  Diagram of the 802.1X authentication system
  • Client: an entity on the LAN segment, which is authenticated by the access device on the same LAN segment. The client is usually a user terminal. The user triggers 802.1X authentication using client software. The client must support Extensible Authentication Protocol over LAN (EAPoL).
  • Access device: an entity on the LAN segment, which authenticates the connected client. The access device is usually a network device that supports the 802.1X protocol. The device provides an interface for the client to access the LAN.
  • Authentication server: an entity that provides the authentication service for the access device. The authentication server, which is usually a RADIUS server, carries out authentication, authorization, and accounting on users.

Authentication Triggering Modes

802.1X authentication can be initiated by either the client or access device. The device supports the following authentication triggering modes:
  1. Triggered by the client: A user starts the client and enters the user name and password. The client then sends an EAP packet to the access device to trigger authentication.
  2. Triggered by the access device: When receiving a DHCP/ARP packet from a user terminal, the access device proactively enables the user terminal to display the client page and prompt the user to enter the user name and password. After the user name and password are entered, the authentication is started.

Authentication Modes

In an 802.1X authentication system, the client, access device, and authentication server exchange authentication information using the Extensible Authentication Protocol (EAP). The EAP packet exchange process is described as follows:
  1. The EAP packets transmitted between the client and access device are encapsulated in EAPoL format and transmitted across the LAN.
  2. The access device and authentication server (for example, a RADIUS server) exchange EAP packets in the following modes:
    • EAP relay: The access device relays EAP packets. The device encapsulates EAP packets in EAP over RADIUS (EAPoR) format and sends the packets to the RADIUS server for authentication. This authentication mode simplifies device processing and supports various EAP authentication methods, such as MD5-Challenge, EAP-TLS, and PEAP. However, the RADIUS server is required to support corresponding authentication methods.
    • EAP termination: The access device terminates EAP packets. The device encapsulates client authentication information into standard RADIUS packets, which are then authenticated by the server using the Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP). This authentication mode is applicable since mainstream RADIUS servers support PAP and CHAP authentication and server update is unnecessary. However, device processing is complex, and the device supports only the MD5-Challenge EAP authentication method.

The device supports the following EAP protocols: EAP-TLS, EAP-TTLS, EAP-PAP, EAP-CHAP (EAP-MD5), and EAP-PEAP.

Authentication Process

Figure 4-4 shows the 802.1X authentication process in EAP relay mode.

Figure 4-4  Service process in EAP relay mode
  1. Before authentication, a pre-connection is established between the client and device.

  2. When a user needs to access an external network, the user starts the 802.1X client program, enters the applied and registered user name and password, and initiates a connection request. At this time, the client sends an authentication request packet to the device to start the authentication process.

  3. After receiving the authentication request packet, the device sends a user name request packet, requesting the client to send the previously entered user name.

  4. In response to the request sent by the device, the client sends the user name to the device.

  5. The device sends the user name to the authentication server for processing.

  6. After receiving the user name forwarded by the device, the authentication server verifies the user password.

    1. The authentication server uses the user name to search the user name list in the database to find the corresponding user password.
    2. The authentication server encrypts the password with a randomly generated MD5 challenge, and sends the MD5 challenge to the client through the access device.
    3. After receiving the MD5 challenge from the device, the client encrypts the password with the MD5 challenge and sends the encrypted password to the authentication server through the access device.
    4. The authentication server compares the encrypted password received and the locally encrypted password. If the two passwords are the same, the user is considered authorized; if they are different, the user is considered unauthorized.
  7. After the password verification succeeds, the authentication server sends an authentication success packet to the access device.

  8. After receiving the authentication success packet, the device sends a packet indicating that the authentication is successful to the client, changes the interface status to authorized, and allows the user to access the network through the interface.

  9. If the user wants to go offline, the client sends a logoff packet to the device.

  10. The access device changes the interface status from authorized to unauthorized. It sends an authentication failure packet to the client and concurrently deletes the user login information.

Steps 5 and 6 are different in the authentication processes in EAP termination and relay modes. In EAP termination mode, when sending the user name from the client to the authentication server, the access device randomly generates an MD5 challenge to the client. (In this mode, the MD5 challenge is not generated by the authentication server.) The access device then sends the user name, MD5 challenge, and encrypted password to the authentication server for processing.

Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 119458

Downloads: 55

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next