Académique Documents
Professionnel Documents
Culture Documents
802.1x mechanism 802.1x solution & Non-802.1x solution D-Link 802.1X Based Security Solution Port-Based 802.1x and MAC-based 802.1x Port-Based 802.1x with Guest VLAN function D-Link Non-802.1X Based Security Solution
MAC-Based Access Control (MAC) MAC-Based Access Control (MAC) with Guest VLAN WEB-Based Access Control (WAC)
802.1X Authentication Mechanism The 802.1X authentication mechanism consists of three components:
validates the identity of the client and notifies the switch. Authenticator (Switch)The Authenticator requests identity information from the client, verifying that information with the Authentication Server, and relaying a response to the client. Client Requests access to the LAN and switch services and responds to the requests from the switch. The Workstation must be running 802.1X-Compliant client software. (e.g. Windows XP has embedded 802.1X suppliant)
Disadvantage of 802.1X Even though 802.1X is a secure authentication method, however the popularity of the 802.1X supplicant agent and the RADIUS server are always the challenges for deployment. Its not only costly but also resource consuming for setup and maintenance.
Non-802.1x Authentication Mechanism On the contrary, Non-802.1X method makes the authentication deployment easier and more user-friendly. It can compensate what 802.1X technology lacks, and facilitate the deployment. This clientless mechanism is not only flexible but also provide required security. The benefit
To reduce the difficult of deployment ( you dont care about client software issue) Save maintain cost ( Radius Server becomes optional) To increate User-friendly (ex: MAC function, which makes users dont key-in username & password during the authentication)
Emerging solutions of Non-802.1X authentication are demanding. Theyre mostly without extra client software needed, easy to deployment and maintain. Therefore D-Link develops comprehensive solutions for either 802.1X or Non-802.1X environment to increase productivity without compromising the security of the network.
D-Links Implementation
Port-based 802.1x: users have to be authenticated before accessing the network, and
switches will unlock the the port only after users pass authentication
MAC-based 802.1x: D-Link switch can perform authentication per MAC address. It
means each switch port can authenticate multiple PCs access right.
Username -------------Crowley Anderson Shinglin Password -------------mygoca-ah busy2 4wireless
Radius Server
Radius
Interne t
Radius Server
(Authentication Server)
Switch
(Authenticator)
Client
802.1x Client
802.1x Client
802.1x Client
..
6
Client
NIC Card
Authenticator
Network Port Access Point, Ethernet Switch, etc.
Authentication Server
AAA Server Any EAP Server, Mostly RADIUS
Encapsulated EAP Messages, typically on RADIUS
Before Authentication EAP Over LAN EAP Over Wireless (802.3 or 802.11)
Identity/ challenge
Switch
Workstation (Client)
RADIUS Server
(Authenticator)
(Authentication Server)
Client:
The device (Workstation) that requests access to the LAN, switch services and responds to the user identity/challenge from the switch and radius server.
The Workstation must be running 802.1x-Compliant client software such as that offered in the Microsoft Windows XP operating system.
Request/ challenge
Switch (Authenticator)
Workstation
(Client)
Authentication Server:
The Authentication Server validates the identity of the clients and notifies the switch whether or not the client is authorized to access the LAN. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
* Remote Authentication Dial-In User Service (RADIUS)
Identity/ challenge
Request/ challenge
Switch
Workstation (Client)
RADIUS Server
(Authenticator)
(Authentication Server)
Authenticator:
The Authenticator acts as an intermediary (proxy) between the Client and the Authentication Server, requesting identity information from the Client, verifying that information with the Authentication Server, and relaying a request/response (identity & challenge) between the Client and Authentication Server.
10
EAPOL-Start
1 2
EAP-Request/Identity EAP-Response/Identity EAP-Request/OTP RADIUS Access-Request RADIUS Access-Challenge RADIUS Access-Request RADIUS Access-Accept Port Authorized EAPOL-Logoff RADIUS Account-Stop RADIUS Ack
EAP-Response/OTP
4
EAP-Success
5
Port Unauthorized
* OTP (One-Time-Password)
11
Client
Switch to Client 1 2 3 5
Radius Server
Switch to Server Server to Switch 2 3 4 5
* OTP (One-Time-Password)
12
Internet
port 1
L2 Switch/HUB
192.168.0.10
Gary
Ryan
All of the clients connected the L2 HUB can pass through switch(DES-3828) once a client (Kobe) is authenticated.
Page 18
13
14
Interne t
L2 Switch/HUB
Gary
Ryan
....
192.168.0.10
Each client needs to provide correct username/password to pass the authentication so that it can access the network
NOTICE: The L2 switch or hub should support 802.1x pass-through. Otherwise, the 802.1x packet (dest MAC=0180c2000003, inside the IEEE reserved range,0180c2000001~0F) will be dropped by switch, and therefore cannot reach DES-3828.
Page 18
15
16
Port-based 802.1x
Once a port is authorized by a client, the others users connecting to the same port through hub or switch can pass through the switch.
MAC-based 802.1x
1. Once a port is authorized by a client, only this client can pass through the switch. 2. The switch is not only checking the username / password, but also checking whether the max. MAC allowed is reached or not. If reached, deny new MAC
Page 14 Page 16
17