Login
- Table of Contents
-
- 10-Security
- 00-Preface
- 01-AAA configuration
- 02-802.1X configuration
- 03-802.1X client configuration
- 04-MAC authentication configuration
- 05-Portal configuration
- 06-User profile configuration
- 07-Password control configuration
- 08-Public key management
- 09-PKI configuration
- 10-IPsec configuration
- 11-SSH configuration
- 12-SSL configuration
- 13-Session management
- 14-Connection limit configuration
- 15-Attack detection and prevention configuration
- 16-IP source guard configuration
- 17-ARP attack protection configuration
- 18-ND attack defense configuration
- 19-User isolation configuration
- 20-ASPF configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-802.1X configuration | 223.52 KB |
Contents
Controlled/uncontrolled port and port authorization status
802.1X authentication initiation
802.1X client as the initiator
Access device as the initiator
802.1X authentication procedures
Comparing EAP relay and EAP termination
Using 802.1X authentication with other features
Command and hardware compatibility
802.1X configuration task list
Enabling EAP relay or EAP termination
Setting the maximum number of authentication request attempts
Setting the 802.1X authentication timeout timers
Specifying supported domain name delimiters
Configuring the EAD assistant feature
Displaying and maintaining 802.1X
EAD assistant for Web browser users
802.1X overview
802.1X is a port-based network access control protocol initially proposed for securing WLANs. The protocol has also been widely used on Ethernet networks for access control.
802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
802.1X architecture
802.1X operates in the client/server model. As shown in Figure 1, 802.1X authentication includes the following entities:
· Client (supplicant)—A user terminal seeking access to the LAN. The terminal must have 802.1X software to authenticate to the access device.
· Access device (authenticator)—Authenticates the client to control access to the LAN. In a typical 802.1X environment, the access device uses an authentication server to perform authentication.
· Authentication server—Provides authentication services for the access device. The authentication server first authenticates 802.1X clients by using the data sent from the access device. Then, the server returns the authentication results to the access device to make access decisions. The authentication server is typically a RADIUS server. In a small LAN, you can use the access device as the authentication server.
Controlled/uncontrolled port and port authorization status
802.1X defines two logical ports for the network access port: controlled port and uncontrolled port. Any packet arriving at the network access port is visible to both logical ports.
· Uncontrolled port—Is always open to receive and transmit authentication packets.
· Controlled port—Filters packets depending on the port state.
¡ Authorized state—The controlled port is in authorized state when the client has passed authentication. The port allows traffic to pass through.
¡ Unauthorized state—The port is in unauthorized state when the client has failed authentication. The port controls traffic by using one of the following methods:
- Performs bidirectional traffic control to deny traffic to and from the client.
- Performs unidirectional traffic control to deny traffic from the client. The H3C devices support only unidirectional traffic control.
Figure 2 Authorization state of a controlled port
802.1X-related protocols
802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the access device, and the authentication server. EAP is an authentication framework that uses the client/server model. The framework supports a variety of authentication methods, including MD5-Challenge, EAP-Transport Layer Security (EAP-TLS), and Protected EAP (PEAP).
802.1X defines EAP over LAN (EAPOL) for passing EAP packets between the client and the access device over a wired or wireless LAN. Between the access device and the authentication server, 802.1X delivers authentication information by using one of the following methods:
· Encapsulates EAP packets in RADIUS by using EAP over RADIUS (EAPOR), as described in "EAP relay."
· Extracts authentication information from the EAP packets and encapsulates the information in standard RADIUS packets, as described in "EAP termination."
Packet formats
EAP packet format
Figure 3 shows the EAP packet format.
· Code—Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure (4).
· Identifier—Used for matching Responses with Requests.
· Length—Length (in bytes) of the EAP packet. The EAP packet length is the sum of the Code, Identifier, Length, and Data fields.
· Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field contains the request type (or the response type) and the type data. Type 1 (Identity) and type 4 (MD5-Challenge) are two examples for the type field.
EAPOL packet format
Figure 4 shows the EAPOL packet format.
· PAE Ethernet type—Protocol type. It takes the value 0x888E for EAPOL.
· Protocol version—The EAPOL protocol version used by the EAPOL packet sender.
· Type—Type of the EAPOL packet. Table 1 lists the types of EAPOL packets supported by H3C implementation of 802.1X.
Table 1 Types of EAPOL packets
|
Value |
Type |
Description |
|
0x00 |
EAP-Packet |
The client and the access device uses EAP-Packets to transport authentication information. |
|
0x01 |
EAPOL-Start |
The client sends an EAPOL-Start message to initiate 802.1X authentication to the access device. |
|
0x02 |
EAPOL-Logoff |
The client sends an EAPOL-Logoff message to tell the access device that the client is logging off. |
· Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or EAPOL-Logoff, this field is set to 0, and no Packet body field follows.
· Packet body—Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet body field contains an EAP packet.
EAP over RADIUS
RADIUS adds two attributes, EAP-Message and Message-Authenticator, for supporting EAP authentication. For the RADIUS packet format, see "Configuring AAA."
EAP-Message
RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in Figure 5. The Type field takes 79, and the Value field can be up to 253 bytes. If an EAP packet is longer than 253 bytes, RADIUS encapsulates it in multiple EAP-Message attributes.
Figure 5 EAP-Message attribute format
Message-Authenticator
As shown in Figure 6, RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum is different from the Message-Authenticator attribute value. The Message-Authenticator prevents EAP authentication packets from being tampered with during EAP authentication.
Figure 6 Message-Authenticator attribute format
802.1X authentication initiation
Both the 802.1X client and the access device can initiate 802.1X authentication.
802.1X client as the initiator
The client sends an EAPOL-Start packet to the access device to initiate 802.1X authentication. The destination MAC address of the packet is the IEEE 802.1X specified multicast address 01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client that can send broadcast EAPOL-Start packets. For example, you can use the iNode 802.1X client.
Access device as the initiator
If the client cannot send EAPOL-Start packets, configure the access device to initiate authentication. One example is the 802.1X client available with Windows XP.
The access device supports the following modes:
· Multicast trigger mode—The access device multicasts EAP-Request/Identity packets to initiate 802.1X authentication at the identity request interval.
· Unicast trigger mode—Upon receiving a frame from an unknown MAC address, the access device sends an EAP-Request/Identity packet out of the receiving port to the MAC address. The device retransmits the packet if no response has been received within the identity request timeout interval. This process continues until the maximum number of request attempts set by using the dot1x retry command is reached.
The username request timeout timer sets both the identity request interval for the multicast trigger and the identity request timeout interval for the unicast trigger.
802.1X authentication procedures
802.1X authentication has two methods: EAP relay and EAP termination. You choose either mode depending on support of the RADIUS server for EAP packets and EAP authentication methods.
· EAP relay mode.
EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPOR packets to send authentication information to the RADIUS server, as shown in Figure 7.
In EAP relay mode, the client must use the same authentication method as the RADIUS server. On the access device, you only need to use the dot1x authentication-method eap command to enable EAP relay.
· EAP termination mode.
As shown in Figure 8, the access device performs the following operations in EAP termination mode:
a. Terminates the EAP packets received from the client.
b. Encapsulates the client authentication information in standard RADIUS packets.
c. Uses PAP or CHAP to authenticate to the RADIUS server.
Comparing EAP relay and EAP termination
|
Packet exchange method |
Benefits |
Limitations |
|
EAP relay |
· Supports various EAP authentication methods. · The configuration and processing are simple on the access device. |
The RADIUS server must support the EAP-Message and Message-Authenticator attributes, and the EAP authentication method used by the client. |
|
EAP termination |
Works with any RADIUS server that supports PAP or CHAP authentication. |
· Supports only the following EAP authentication methods: ¡ MD5-Challenge EAP authentication. ¡ The username and password EAP authentication initiated by an iNode 802.1X client. · The processing is complex on the access device. |
EAP relay
Figure 9 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5 is used.
Figure 9 802.1X authentication procedure in EAP relay mode
The following steps describe the 802.1X authentication procedure:
1. When a user launches the 802.1X client and enters a registered username and password, the 802.1X client sends an EAPOL-Start packet to the access device.
2. The access device responds with an EAP-Request/Identity packet to ask for the client username.
3. In response to the EAP-Request/Identity packet, the client sends the username in an EAP-Response/Identity packet to the access device.
4. The access device relays the EAP-Response/Identity packet in a RADIUS Access-Request packet to the authentication server.
5. The authentication server uses the identity information in the RADIUS Access-Request to search its user database. If a matching entry is found, the server uses a randomly generated challenge (EAP-Request/MD5-Challenge) to encrypt the password in the entry. Then, the server sends the challenge in a RADIUS Access-Challenge packet to the access device.
6. The access device transmits the EAP-Request/MD5-Challenge packet to the client.
7. The client uses the received challenge to encrypt the password, and sends the encrypted password in an EAP-Response/MD5-Challenge packet to the access device.
8. The access device relays the EAP-Response/MD5-Challenge packet in a RADIUS Access-Request packet to the authentication server.
9. The authentication server compares the received encrypted password with the encrypted password it generated at step 5. If the two passwords are identical, the server considers the client valid and sends a RADIUS Access-Accept packet to the access device.
10. Upon receiving the RADIUS Access-Accept packet, the access device performs the following operations:
a. Sends an EAP-Success packet to the client.
b. Sets the controlled port in authorized state.
The client can access the network.
11. After the client comes online, the access device periodically sends handshake requests to check whether the client is still online. By default, if two consecutive handshake attempts fail, the device logs off the client.
13. The client can also send an EAPOL-Logoff packet to ask the access device for a logoff.
14. In response to the EAPOL-Logoff packet, the access device changes the status of the controlled port from authorized to unauthorized. Then, the access device sends an EAP-Failure packet to the client.
EAP termination
Figure 10 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that CHAP authentication is used.
Figure 10 802.1X authentication procedure in EAP termination mode
In EAP termination mode, the access device rather than the authentication server generates an MD5 challenge for password encryption. The access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
Configuring 802.1X
802.1X VLAN manipulation
For information about 802.1X VLAN manipulation, see WLAN authentication in WLAN Configuration Guide.
Using 802.1X authentication with other features
ACL assignment
You can specify an ACL for an 802.1X user to control the user's access to network resources. After the user passes 802.1X authentication, the authentication server assigns the ACL to the service template to filter traffic for this user. The authentication server can be the local access device or a RADIUS server. In either case, you must configure the ACL on the access device.
To change the access control criteria for the user, you can use one of the following methods:
· Modify ACL rules on the access device.
· Specify another authorization ACL on the authentication server.
For more information about ACLs, see ACL and QoS Configuration Guide.
User profile assignment
You can specify a user profile for an 802.1X user to control the user's access to network resources. After the user passes 802.1X authentication, the authentication server assigns the user profile to the user for filtering traffic. The authentication server can be the local access device or a RADIUS server. In either case, you must configure the user profile on the access device.
To change the user's access permissions, you can use one of the following methods:
· Modify the user profile configuration on the access device.
· Specify another user profile for the user on the authentication server.
For more information about user profiles, see "Configuring user profiles."
EAD assistant
Endpoint Admission Defense (EAD) is an H3C integrated endpoint access control solution to improve the threat defensive capability of a network. The solution enables the security client, security policy server, access device, and third-party server to operate together. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.
The EAD assistant feature enables the access device to redirect a user who is seeking to access the network to download and install an EAD client. This feature eliminates the administrative task to deploy EAD clients.
EAD assistant is implemented by the following functionality:
· Free IP.
A free IP is a freely accessible network segment, which has a limited set of network resources such as software and DHCP servers. To ensure security strategy compliance, an unauthenticated user can access only this segment to perform operations. For example, the user can download EAD client from a software server or obtain a dynamic IP address from a DHCP server.
· Redirect URL.
If an unauthenticated 802.1X user is using a Web browser to access the network, the EAD assistant feature redirects the user to a specific URL. For example, you can use this feature to redirect the user to the EAD client software download page.
The EAD assistant feature creates an ACL-based EAD rule automatically to open access to the redirect URL for each redirected user.
EAD rules are implemented by using ACL resources. When the EAD rule timer expires or the user passes authentication, the rule is removed. If users fail to download EAD client or fail to pass authentication before the timer expires, they must reconnect to the network to access the free IP.
Command and hardware compatibility
The WX1800H series, WX2500H series, and WX3000H series access controllers do not support the slot keyword or the slot-number argument.
Configuration prerequisites
Before you configure 802.1X, complete the following tasks:
· Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users.
· If RADIUS authentication is used, create user accounts on the RADIUS server.
· If local authentication is used, create local user accounts on the access device and set the service type to lan-access.
802.1X configuration task list
|
Tasks at a glance |
|
(Required.) Enabling EAP relay or EAP termination |
|
(Optional.) Setting the maximum number of authentication request attempts |
|
(Optional.) Setting the 802.1X authentication timeout timers |
|
(Optional.) Specifying supported domain name delimiters |
|
(Optional.) Configuring the EAD assistant feature |
Enabling EAP relay or EAP termination
When configuring EAP relay or EAP termination, consider the following factors:
· Support of the RADIUS server for EAP packets.
· Authentication methods supported by the 802.1X client and the RADIUS server.
You can use both EAP termination and EAP relay in any of the following situations:
· The client is using only MD5-Challenge EAP authentication. If EAP termination is used, you must enable CHAP authentication on the access device.
· The client is an iNode 802.1X client and initiates only the username and password EAP authentication. If EAP termination is used, you can enable either PAP or CHAP authentication on the access device. However, if the password is required to be transmitted in cipher text, you must use CHAP authentication on the access device.
To use EAP-TLS, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "Comparing EAP relay and EAP termination" for help.
For more information about EAP relay and EAP termination, see "802.1X authentication procedures."
To configure EAP relay or EAP termination:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
1. Configure EAP relay or EAP termination. |
dot1x authentication-method { chap | eap | pap } |
By default, the access device performs EAP termination and uses CHAP to communicate with the RADIUS server. Specify the eap keyword to enable EAP relay. Specify the chap or pap keyword to enable CHAP-enabled or PAP-enabled EAP termination. |
|
|
NOTE: If EAP relay mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. The access device sends the authentication data from the client to the server without any modification. |
Setting the maximum number of authentication request attempts
The access device retransmits an authentication request if it does not receive any responses to the request from the client within a period of time. To set the time, use the dot1x timer tx-period tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command. The access device stops retransmitting the request if it has made the maximum number of request transmission attempts but still receives no response.
To set the maximum number of authentication request attempts:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the maximum number of attempts for sending an authentication request. |
dot1x retry retries |
The default setting is 2. |
Setting the 802.1X authentication timeout timers
The network device uses the following 802.1X authentication timeout timers:
· Client timeout timer—Starts when the access device sends an EAP-Request/MD5-Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.
· Server timeout timer—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the access device retransmits the request to the server.
In most cases, the default settings are sufficient. You can edit the timers, depending on the network conditions.
· In a low-speed network, increase the client timeout timer.
· In a network with authentication servers of different performance, adjust the server timeout timer.
To set the 802.1X authentication timeout timers:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the client timeout timer. |
dot1x timer supp-timeout supp-timeout-value |
The default is 30 seconds. |
|
3. Set the server timeout timer. |
dot1x timer server-timeout server-timeout-value |
The default is 100 seconds. |
Specifying supported domain name delimiters
By default, the access device supports the at sign (@) as the delimiter. You can also configure the access device to accommodate 802.1X users who use other domain name delimiters. The configurable delimiters include the at sign (@), backslash (\), dot (.), and forward slash (/). Usernames that include domain names can use the format of username@domain-name, domain-name\username, username.domain-name, or username/domain-name.
If an 802.1X username string contains multiple configured delimiters, the rightmost delimiter is the domain name delimiter. For example, if you configure the backslash (\), dot (.), and forward slash (/) as delimiters, the domain name delimiter for the username string 121.123/22\@abc is the backslash (\). The username is @abc and the domain name is 121.123/22.
If a username string contains none of the delimiters, the access device authenticates the user in the mandatory or default ISP domain.
To specify a set of domain name delimiters:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify a set of domain name delimiters for 802.1X users. |
dot1x domain-delimiter string |
By default, only the at sign (@) delimiter is supported. |
|
|
NOTE: If you configure the access device to send usernames with domain names to the RADIUS server, make sure the domain delimiter can be recognized by the RADIUS server. For username format configuration, see the user-name-format command in Security Command Reference. |
Configuring the EAD assistant feature
When you configure the EAD assistant feature, follow these restrictions and guidelines:
· For EAD assistant to take effect on a service template, you must first disable MAC authentication on the service template and delete all OUIs configured for OUI configuration.
· When OUIs for OUI authentication are configured, the free IP does not take effect on service templates. When MAC authentication is enabled on a service template, the free IP does not take effect on the service template.
· To allow a user to obtain a dynamic IP address before it passes 802.1X authentication, make sure the DHCP server is on the free IP segment.
· The server that provides the redirect URL must be on the free IP accessible to unauthenticated users.
· To avoid using up ACL resources when a large number of EAD users exist, you can shorten the EAD rule timer.
To configure the EAD assistant feature:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable EAD assistant. |
dot1x ead-assistant enable |
By default, this feature is disabled. |
|
3. Configure a free IP. |
dot1x ead-assistant free-ip ip-address { mask-length | mask-address } |
By default, no free IP is configured. |
|
4. (Optional.) Configure the redirect URL. |
dot1x ead-assistant url url-string |
By default, no redirect URL is configured. Configure the redirect URL if users will use Web browsers to access the network. |
|
5. (Optional.) Set the EAD rule timer. |
dot1x timer ead-timeout ead-timeout-value |
The default setting is 30 minutes. |
Displaying and maintaining 802.1X
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display 802.1X session information, statistics, or configuration information. |
display dot1x [ sessions | statistics ] [ ap ap-name [ radio radio-id ] ] |
|
Display online 802.1X user information. |
display dot1x connection [ ap ap-name [ radio radio-id ] | slot slot-number | user-mac mac-address | user-name name-string ] |
|
Clear 802.1X statistics. |
reset dot1x statistics [ ap ap-name [ radio radio-id ] ] |
Troubleshooting 802.1X
EAD assistant for Web browser users
Symptom
Unauthenticated users are not redirected to the specified redirect URL after they enter external website addresses in their Web browsers.
Analysis
Redirection will not happen for one of the following reasons:
· The address is in the string format. The operating system of the host regards the string as a website name and tries to resolve the string. If the resolution fails, the operating system sends an ARP request, but the target address is not in the dotted decimal notation. The redirection feature does redirect this kind of ARP request.
· The address is within a free IP segment. No redirection will take place, even if no host is present with the address.
· The redirect URL is not in a free IP segment.
· No server is using the redirect URL, or the server with the URL does not provide Web services.
Solution
To resolve the problem:
1. Enter a dotted decimal IP address that is not in any free IP segments.
2. Verify that the access device and the server are configured correctly.
3. If the problem persists, contact H3C Support.
