Understanding 802.1x Authentication

CloudEngine 12800 and 12800E V200R005C10 Configuration Guide - Security

This document describes the configurations of Security, including AAA, 802.1x Authentication, ACL, TCAM ACL Customization, local attack defense, Microsegmentation, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, MACsec, DHCP snooping, IPSG, URPF, SSL, Keychain and FIPS.

About This Document
AAA Configuration
- Overview of AAA
- Understanding AAA
- Application Scenarios for AAA
- Licensing Requirements and Limitations for AAA
- Summary of AAA Configuration Tasks
- Configuring Local Authentication and Authorization
- Configuring RADIUS AAA
- Configuring HWTACACS AAA
- Clearing AAA Statistics
- Configuration Examples for AAA
  - Example for Configuring RADIUS Authentication and Accounting
  - Example for Configuring HWTACACS Authentication, Accounting, and Authorization
- Troubleshooting AAA
  - An AAA Local User Cannot Be Created Due to Incorrect Password Setting
802.1x Authentication Configuration
- Understanding 802.1x Authentication
- Application Scenarios for 802.1x Authentication
- Licensing Requirements and Limitations for 802.1x Authentication
- Default Settings for 802.1x Authentication
- Configuring 802.1x Authentication
- Maintaining 802.1x Authentication
  - Clearing Statistics on 802.1x Authentication Packets
  - Forcing Users Offline
- Configuration Examples for 802.1x Authentication
  - Example for Configuring 802.1x Authentication to Control Users' Internal Access
ACL Configuration
- Overview of ACLs
- Understanding ACLs
- Application Scenarios for ACLs
- Licensing Requirements and Limitations for ACLs
- Default Settings for ACLs
- Configuring a Basic ACL
- Configuring an Advanced ACL
- Configuring a Layer 2 ACL
- Configuring a User-defined ACL
- Configuring an ARP-based ACL
- Configuring a Basic ACL6
- Configuring an Advanced ACL6
- Maintaining an ACL
  - Clearing ACL Statistics
  - Checking ACL Resource Usages
- Configuration Examples for ACLs
- ACL FAQ
  - Which Packets Cannot Be Filtered by the ACL Used by a Traffic Policy?
TCAM ACL Customization Configuration
- Overview of TCAM ACL Customization
- Licensing Requirements and Limitations for TCAM ACL Customization
- Configuring TCAM ACL Customization
  - Enabling TCAM ACL Customization
  - Configuring the TCAM ACL Customization Function for Services
- Displaying Information about a TCAM ACL Customization Profile or Preset Profile
- Configuration Examples for TCAM ACL Customization
  - Example for Configuring TCAM ACL Customization
Microsegmentation Configuration
- Overview of Microsegmentation
- Understanding Microsegmentation
- Application Scenarios for Microsegmentation
- Licensing Requirements and Limitations for Microsegmentation
- Configuring Microsegmentation
- Maintaining Microsegmentation
  - Checking Microsegmentation Statistics
  - Clearing Microsegmentation Statistics
- Configuration Examples for Microsegmentation
  - Example for Configuring IP Address-based Microsegmentation
Local Attack Defense Configuration
- Overview of Local Attack Defense
- Licensing Requirements and Limitations for Local Attack Defense
- Default Settings for Local Attack Defense
- Configuring CPU Attack Defense
- Configuring Attack Source Tracing
- Maintaining Local Attack Defense
- Configuration Examples for Local Attack Defense
  - Example for Configuring Local Attack Defense
- Troubleshooting Local Attack Defense
MFF Configuration
- Overview of MFF
- Understanding MFF
- Application Scenarios for MFF
- Licensing Requirements and Limitations for MFF
- Configuring MFF
- Configuration Examples for MFF
  - Example for Configuring MFF to Implement Layer 2 Isolation and Layer 3 Connection
- Troubleshooting MFF
  - Users Fail to Access the Internet After MFF Is Configured
Attack Defense Configuration
- Overview of Attack Defense
- Understanding Attack Defense
- Application Scenarios for Attack Defense
- Licensing Requirements and Limitations for Attack Defense
- Default Settings for Attack Defense
- Configuring Defense Against Malformed Packet Attacks
- Configuring Defense Against Packet Fragment Attacks
- Configuring Defense Against Flood Attacks
- Clearing Attack Defense Statistics
- Configuration Examples for Attack Defense
  - Example for Configuring Attack Defense
Traffic Suppression and Storm Control Configuration
- Overview of Traffic Suppression and Storm Control
- Understanding Traffic Suppression and Storm Control
  - Traffic Suppression
  - Storm Control
- Application Scenarios for Traffic Suppression and Storm Control
  - Traffic Suppression
  - Storm Control
- Licensing Requirements and Limitations for Traffic Suppression and Storm Control
- Default Settings for Traffic Suppression and Storm Control
- Configuring Traffic Suppression
- Configuring Storm Control
- Configuration Examples for Traffic Suppression and Storm Control
  - Example for Configuring Traffic Suppression
  - Example for Configuring Storm Control
ARP Security Configuration
- Overview of ARP Security
- Understanding ARP Security
- Application Scenarios for ARP Security
  - Defense Against ARP Flood Attacks
  - Defense Against ARP Spoofing Attacks
- Licensing Requirements and Limitations for ARP Security
- Default Settings for ARP Security
- Configuring Defense Against ARP Flood Attacks
- Configuring Defense Against ARP Spoofing Attacks
- Maintaining ARP Security
- Configuration Examples for ARP Security
  - Example for Configuring ARP Security Functions
  - Example for Configuring Defense Against ARP MITM Attacks
Port Security Configuration
- Overview of Port Security
- Understanding Port Security
- Application Scenarios for Port Security
- Licensing Requirements and Limitations for Port Security
- Default Settings for Port Security
- Configuring Port Security
- Configuration Examples for Port Security
  - Example for Configuring Port Security
MACsec Configuration
- Overview of MACsec
- Understanding MACsec
- Application Scenarios for MACsec
- Default Configuration
- Licensing Requirements and Limitations for MACsec
- Configuring MACsec
- Maintaining MACsec
  - Displaying MACsec Statistics
  - Clearing MACsec Statistics
- Configuration Examples for MACsec
  - Example for Configuring Point-to-Point MACsec
DHCP Snooping Configuration
- Overview of DHCP Snooping
- Understanding DHCP Snooping
  - DHCP Snooping Fundamentals
  - Option 82 Supported by DHCP Snooping
- Application Scenarios for DHCP Snooping
- Licensing Requirements and Limitations for DHCP Snooping
- Default Settings for DHCP Snooping
- Configuring Basic Functions of DHCP Snooping
- Configuring DHCP Snooping Attack Defense
- Inserting the Option 82 Field in a DHCP Message
- Maintaining DHCP Snooping
- Configuration Examples for DHCP Snooping
  - Example for Configuring DHCP Snooping Attack Defense
- Troubleshooting DHCP Snooping
  - DHCP Clients Cannot Go Online Due to DHCP Snooping
IPSG Configuration
- Overview of IPSG
- Licensing Requirements and Limitations for IPSG
- Default Settings for IPSG
- Configuring IPSG
- Maintaining IPSG
  - Checking Statistics on Discarded IP Packets
  - Clearing Statistics on Discarded IP Packets
- Configuration Examples for IPSG
  - Example for Configuring IPSG to Check Interface + IP + MAC Binding Entries
URPF Configuration
- Overview of URPF
- Understanding URPF
- Application Scenarios for URPF
- Licensing Requirements and Limitations for URPF
- Default Settings for URPF
- Configuring URPF
- Configuration Examples for URPF
  - Example for Configuring URPF (CE12800)
  - Example for Configuring URPF (CE12800E)
SSL Configuration
- Overview of SSL
- Understanding SSL
- Application Scenarios for SSL
  - Application of SSL in Information Center
- Licensing Requirements and Limitations for SSL
- Configuring SSL
  - Configuring an SSL Policy
  - Applying an SSL Policy
- Configuration Examples for SSL
  - Example for Outputting SSL-Encrypted Logs to a Log Host
Keychain Configuration
- Overview of Keychains
- Understanding Keychains
- Application Scenarios for Keychains
- Licensing Requirements and Limitations for Keychain
- Configuring a Keychain
- Configuration Examples for Keychains
  - Example for Applying the Keychain to RIP
  - Example for Applying the Keychain to BGP
FIPS Configuration
- Overview of FIPS
- Configuring the FIPS Mode
Separating the Management Port from the Service Plane
Checking Security Risks
Setting the System Master Key

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Understanding 802.1x Authentication

Overview

Enterprise networks are facing increasing security risks, such as viruses, Trojan horses, spyware, and malicious network attacks. Traditional enterprise network designs consider the intranet secure and assume that all threats come from external networks. However, researches show that 80% of the network security loopholes occur on the intranet. The internal security loopholes affect the network seriously and may even cause system and network crash. In addition, malicious software such as spyware and Trojan horses can be downloaded to computers without being noticed when intranet users are browsing websites. The software may be spread on the entire intranet, which severely threats the network security.

Therefore, traditional security measures cannot cope with increasing security challenges. An active security model must be used to prevent security threats on terminals, improving information security of the entire enterprise.

The network access control solution integrates terminal security with access control and takes the check, isolation, hardening, and audit measures to improve the proactive protection capability of terminals. This solution ensures security of each terminal and the entire enterprise network. 802.1x authentication is an important access control method in the Network Admission Control (NAC) solution.

802.1x authentication is an interface-based network access control method. It controls user access to network resources by authenticating the users on access interfaces.

As shown in Figure 2-1, an 802.1x authentication system uses a standard client/server model, which consists of three components: client, access control device, and authentication server.

Client: an entity on one end of a Local Area Network (LAN) link, which is authenticated by the device at the other end of the link. The client is usually a user terminal that supports 802.1x authentication. The user initiates 802.1x authentication by starting the client software.
Access control device: an entity that authenticates the client at the other end of the LAN link. It is usually a network access device that supports the 802.1x protocol. The device provides an interface to allow the client to access the LAN.
Authentication server: an entity that provides the authentication service for the client. The authentication server, usually a RADIUS server, carries out authentication, authorization, and accounting.

Figure 2-1 802.1x authentication system

The Extensible Authentication Protocol Over LAN (EAPoL) protocol, defined in IEEE 802.1x, runs between the device and client.

When the device works in relay mode, Extensible Authentication Protocol (EAP) runs between the device and authentication server. Authentication data is encapsulated in EAP frames, which are transmitted in packets of an upper layer protocol (such as RADIUS) to reach the authentication server over a complex network.
When the device works in termination mode, it terminates EAPoL messages, converts them to messages of another authentication protocol (such as RADIUS), and transmits user authentication information to the authentication server.

Each physical interface is logically categorized as a controlled interface or uncontrolled interface. An uncontrolled interface is always opened and can receive EAPoL frames sent from the client at any time. A controlled interface is opened only when authentication succeeds, and is used to transmit network resources and services.

Authentication Mode

802.1x supports port-based authentication and MAC-based authentication.

Port-based authentication: Allows subsequent users on a port to access the LAN once a user has been authenticated on the port. After the last user on the port goes offline, the port automatically becomes unauthorized.
MAC-based authentication: Requires all users on a port to be authenticated before granting them access to the LAN.

Port Control Method

802.1x supports the following port control methods:

Automatic identification: A port, initially in the unauthorized state, transmits only EAPoL packets and blocks user access to network resources. After a user is authenticated, the port switches to the authorized state and allows the user to access network resources.
Forcible authorization: A port remains in the authorized state and allows users to access network resources without authentication or authorization.
Forcible unauthorization: A port remains in the unauthorized state and always blocks user access to network resources.

Authentication Triggering Mode

802.1x authentication can be initiated by either the client or device. The device supports the following authentication triggering modes:

Client trigger: The client sends an EAPOL-Start packet to the device to initiate authentication.
Device trigger: This mode is used when the client cannot send an EAPOL-Start packet.
- Multicast trigger: When a client such as Windows XP SP2 that is incapable of sending EAPOL-Start packets resumes from sleep state, the device actively sends multicast packets to trigger authentication for the client.
- Unicast trigger: When a client connected to a device cannot have the specified client software quickly installed, the device sends a unicast packet to the client for user authentication.

In the device multicast trigger mode, a port on the device can connect to only one 802.1x client and send untagged multicast packets.

Authentication Modes

The 802.1x authentication system uses the EAP for authentication information exchange among the client, device, and authentication server. The EAP packet exchange among the entities is described as follows:

The EAP packets transmitted between the client and device are encapsulated in EAPoL format, and are directly carried in the LAN.

The device and authentication server (for example, a RADIUS server) exchange EAP packets in two modes described in Table 2-1.

Table 2-1 802.1x authentication modes

Authentication Mode	Definition	Advantage	Disadvantage
EAP relay authentication	This mode is also called EAP transparent transmission authentication. The network access device directly encapsulates authentication information about 802.1x users and EAP packets to the attribute fields in RADIUS packets and sends them to the RADIUS server.	It supports the following authentication modes: MD5-Challenge: This authentication mode is used in packet transmission between an Xsupplicant client running the Linux operating system and a FreeRadius server. EAP-MD5 authentication mode is simple. EAP-TLS: For example, this mode can be used in packet transmission between a client running Symantec Endpoint and a RADIUS server running Symantec Enforcer 6100. EAP-TLS authentication mode is secure. EAP-PEAP: For example, this mode can be used in packet transmission between a client running Windows XP and a RADIUS server running Windows Server 2003. EAP-PEAP authentication mode is secure. NOTE: CE series switches do not support other relay authentication modes.	The RADIUS server must support this authentication mode.
EAP termination authentication	The network access device terminates users' EAP packets, parses user names and passwords, and encrypts the passwords. The device then converts the EAP packets to standard RADIUS packets and sends them to the RADIUS server for authentication.	The RADIUS server does not need to support EAP authentication, which reduces the burden of the server.	The processing procedure on the device is complex.

Authentication Process

Figure 2-2 shows the 802.1x authentication process in EAP relay mode.

Figure 2-2 Service process in EAP relay mode

The EAP relay authentication process is described as follows:

When a user needs to access an external network, the user starts the 802.1x client program, enters the applied and registered user name and password, and initiates a connection request. The client then sends an authentication request frame (EAPOL-Start) to the device to start the authentication process.
After receiving the authentication request frame, the device returns an identity request frame (EAP-Request/Identity), requesting the client to send the previously entered user name.
In response to the request sent by the device, the client sends an identity response frame (EAP-Response/Identity) containing the user name to the device.
The device encapsulates the EAP packet in the response frame sent by the client into a RADIUS packet (RADIUS Access-Request) and sends the RADIUS packet to the authentication server for processing.
After receiving the user name forwarded by the device, the RADIUS server searches the user name table in the database for the corresponding password, encrypts the password with a randomly generated MD5 challenge value, and sends the MD5 challenge value in a RADIUS Access-Challenge packet to the device.
The device forwards the MD5 challenge value sent by the RADIUS server to the client.
After receiving the MD5 challenge value from the device, the client encrypts the password with the MD5 challenge value, generates an EAP-Response/MD5-Challenge packet, and sends the packet to the device.
The device encapsulates the EAP-Response/MD5-Challenge packet into a RADIUS packet (RADIUS Access-Request) and sends the RADIUS packet to the RADIUS server.
The RADIUS server compares the received encrypted password and the locally encrypted password. If the two passwords match, the user is considered authorized and the RADIUS server sends a packet indicating successful authentication (RADIUS Access-Accept) to the device.
After receiving the RADIUS Access-Accept packet, the device sends a frame indicating successful authentication (EAP-Success) to the client, changes the interface state to Authorized, and allows the user to access the network using the interface.
When the user is online, the device periodically sends a handshake packet to the client to monitor the online user.
After receiving the handshake packet, the client sends a response packet to the device, indicating that the user is still online. By default, the device disconnects the user if it receives no response from the client after sending two handshake packets. The handshake mechanism allows the server to detect unexpected user disconnections.
If the user wants to go offline, the client sends an EAPOL-Logoff frame to the device.
The device changes the interface state from Authorized to Unauthorized and sends an EAP-Failure packet to the client.

Figure 2-3 shows the 802.1x authentication process in EAP relay mode.

Figure 2-3 Service process in EAP termination mode

Compared with the EAP relay mode, in EAP termination mode, the device randomly generates an MD5 challenge value for encrypting the user password in Step 4, and sends the user name, the MD5 challenge value, and the password encrypted on the client to the RADIUS server for authentication.

Translation

简体中文

Download

Updated: 2021-09-17

Document ID: EDOC1100075347

Downloads: 99

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate