No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding 802.1x Authentication

Understanding 802.1x Authentication


Enterprise networks are facing increasing security risks, such as viruses, Trojan horses, spyware, and malicious network attacks. Traditional enterprise network designs consider the intranet secure and assume that all threats come from external networks. However, researches show that 80% of the network security loopholes occur on the intranet. The internal security loopholes affect the network seriously and may even cause system and network crash. In addition, malicious software such as spyware and Trojan horses can be downloaded to computers without being noticed when intranet users are browsing websites. The software may be spread on the entire intranet, which severely threats the network security.

Therefore, traditional security measures cannot cope with increasing security challenges. An active security model must be used to prevent security threats on terminals, improving information security of the entire enterprise.

The network access control solution integrates terminal security with access control and takes the check, isolation, hardening, and audit measures to improve the proactive protection capability of terminals. This solution ensures security of each terminal and the entire enterprise network. 802.1x authentication is an important access control method in the Network Admission Control (NAC) solution.

802.1x authentication is an interface-based network access control method. It controls user access to network resources by authenticating the users on access interfaces.

As shown in Figure 2-1, an 802.1x authentication system uses a standard client/server model, which consists of three components: client, access control device, and authentication server.

  • Client: an entity on one end of a Local Area Network (LAN) link, which is authenticated by the device at the other end of the link. The client is usually a user terminal that supports 802.1x authentication. The user initiates 802.1x authentication by starting the client software.
  • Access control device: an entity that authenticates the client at the other end of the LAN link. It is usually a network access device that supports the 802.1x protocol. The device provides an interface to allow the client to access the LAN.
  • Authentication server: an entity that provides the authentication service for the client. The authentication server, usually a RADIUS server, carries out authentication, authorization, and accounting.
Figure 2-1 802.1x authentication system
The Extensible Authentication Protocol Over LAN (EAPoL) protocol, defined in IEEE 802.1x, runs between the device and client.
  • When the device works in relay mode, Extensible Authentication Protocol (EAP) runs between the device and authentication server. Authentication data is encapsulated in EAP frames, which are transmitted in packets of an upper layer protocol (such as RADIUS) to reach the authentication server over a complex network.
  • When the device works in termination mode, it terminates EAPoL messages, converts them to messages of another authentication protocol (such as RADIUS), and transmits user authentication information to the authentication server.

Each physical interface is logically categorized as a controlled interface or uncontrolled interface. An uncontrolled interface is always opened and can receive EAPoL frames sent from the client at any time. A controlled interface is opened only when authentication succeeds, and is used to transmit network resources and services.

Authentication Mode

802.1x supports port-based authentication and MAC-based authentication.

  • Port-based authentication: Allows subsequent users on a port to access the LAN once a user has been authenticated on the port. After the last user on the port goes offline, the port automatically becomes unauthorized.
  • MAC-based authentication: Requires all users on a port to be authenticated before granting them access to the LAN.

Port Control Method

802.1x supports the following port control methods:

  • Automatic identification: A port, initially in the unauthorized state, transmits only EAPoL packets and blocks user access to network resources. After a user is authenticated, the port switches to the authorized state and allows the user to access network resources.
  • Forcible authorization: A port remains in the authorized state and allows users to access network resources without authentication or authorization.
  • Forcible unauthorization: A port remains in the unauthorized state and always blocks user access to network resources.

Authentication Triggering Mode

802.1x authentication can be initiated by either the client or device. The device supports the following authentication triggering modes:

  • Client trigger: The client sends an EAPOL-Start packet to the device to initiate authentication.
  • Device trigger: This mode is used when the client cannot send an EAPOL-Start packet.
    • Multicast trigger: When a client such as Windows XP SP2 that is incapable of sending EAPOL-Start packets resumes from sleep state, the device actively sends multicast packets to trigger authentication for the client.
    • Unicast trigger: When a client connected to a device cannot have the specified client software quickly installed, the device sends a unicast packet to the client for user authentication.

In the device multicast trigger mode, a port on the device can connect to only one 802.1x client and send untagged multicast packets.

Authentication Modes

The 802.1x authentication system uses the EAP for authentication information exchange among the client, device, and authentication server. The EAP packet exchange among the entities is described as follows:
  1. The EAP packets transmitted between the client and device are encapsulated in EAPoL format, and are directly carried in the LAN.
  2. The device and authentication server (for example, a RADIUS server) exchange EAP packets in two modes described in Table 2-1.
    Table 2-1 802.1x authentication modes

    Authentication Mode




    EAP relay authentication

    This mode is also called EAP transparent transmission authentication. The network access device directly encapsulates authentication information about 802.1x users and EAP packets to the attribute fields in RADIUS packets and sends them to the RADIUS server.

    It supports the following authentication modes:
    • MD5-Challenge: This authentication mode is used in packet transmission between an Xsupplicant client running the Linux operating system and a FreeRadius server. EAP-MD5 authentication mode is simple.
    • EAP-TLS: For example, this mode can be used in packet transmission between a client running Symantec Endpoint and a RADIUS server running Symantec Enforcer 6100. EAP-TLS authentication mode is secure.
    • EAP-PEAP: For example, this mode can be used in packet transmission between a client running Windows XP and a RADIUS server running Windows Server 2003. EAP-PEAP authentication mode is secure.

    CE series switches do not support other relay authentication modes.

    The RADIUS server must support this authentication mode.

    EAP termination authentication

    The network access device terminates users' EAP packets, parses user names and passwords, and encrypts the passwords. The device then converts the EAP packets to standard RADIUS packets and sends them to the RADIUS server for authentication.

    The RADIUS server does not need to support EAP authentication, which reduces the burden of the server.

    The processing procedure on the device is complex.

Authentication Process

Figure 2-2 shows the 802.1x authentication process in EAP relay mode.

Figure 2-2 Service process in EAP relay mode

The EAP relay authentication process is described as follows:

  1. When a user needs to access an external network, the user starts the 802.1x client program, enters the applied and registered user name and password, and initiates a connection request. The client then sends an authentication request frame (EAPOL-Start) to the device to start the authentication process.

  2. After receiving the authentication request frame, the device returns an identity request frame (EAP-Request/Identity), requesting the client to send the previously entered user name.

  3. In response to the request sent by the device, the client sends an identity response frame (EAP-Response/Identity) containing the user name to the device.

  4. The device encapsulates the EAP packet in the response frame sent by the client into a RADIUS packet (RADIUS Access-Request) and sends the RADIUS packet to the authentication server for processing.

  5. After receiving the user name forwarded by the device, the RADIUS server searches the user name table in the database for the corresponding password, encrypts the password with a randomly generated MD5 challenge value, and sends the MD5 challenge value in a RADIUS Access-Challenge packet to the device.

  6. The device forwards the MD5 challenge value sent by the RADIUS server to the client.

  7. After receiving the MD5 challenge value from the device, the client encrypts the password with the MD5 challenge value, generates an EAP-Response/MD5-Challenge packet, and sends the packet to the device.

  8. The device encapsulates the EAP-Response/MD5-Challenge packet into a RADIUS packet (RADIUS Access-Request) and sends the RADIUS packet to the RADIUS server.
  9. The RADIUS server compares the received encrypted password and the locally encrypted password. If the two passwords match, the user is considered authorized and the RADIUS server sends a packet indicating successful authentication (RADIUS Access-Accept) to the device.
  10. After receiving the RADIUS Access-Accept packet, the device sends a frame indicating successful authentication (EAP-Success) to the client, changes the interface state to Authorized, and allows the user to access the network using the interface.
  11. When the user is online, the device periodically sends a handshake packet to the client to monitor the online user.
  12. After receiving the handshake packet, the client sends a response packet to the device, indicating that the user is still online. By default, the device disconnects the user if it receives no response from the client after sending two handshake packets. The handshake mechanism allows the server to detect unexpected user disconnections.
  13. If the user wants to go offline, the client sends an EAPOL-Logoff frame to the device.
  14. The device changes the interface state from Authorized to Unauthorized and sends an EAP-Failure packet to the client.

Figure 2-3 shows the 802.1x authentication process in EAP relay mode.

Figure 2-3 Service process in EAP termination mode

Compared with the EAP relay mode, in EAP termination mode, the device randomly generates an MD5 challenge value for encrypting the user password in Step 4, and sends the user name, the MD5 challenge value, and the password encrypted on the client to the RADIUS server for authentication.

Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18635

Downloads: 63

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next