802.1x - Maipu

In this section, we will see about 802.1x authentication in Maipu Routers and switches. As we all know about 802.1x is related authentication used in Switches.  Let’s see about it.

802.1X is a broadband access authentication solution put forward by IEEE in June, 2001. If defines the Port-Based Network Access Control. By utilizing LAN’s physical access features of IEEE 802 architecture, 802.1X provides a system of methods for authenticating and authorizing devices access to LAN ports via point-to-point.

802.1X features:

1. Terse solution: 802.1X only concerns the enabling and disabling of a port. The port is enabled when legal users (by user name and password) access; and the port is disabled when illegal users or no user access. The result of authentication depends on changes of the port status. This is the simplest solution to realize the authentication among various authentication technologies.
2. The EAP protocol used by 802.1X only defines the means of communication authentication information, but doesn’t define a concrete authentication mechanism. The authentication mechanism can be selected flexibly (including Smart Card, Kerberos, Public Key Encryption and One Time Password)
3. IEEE 802.1X protocol is a layer 2 protocol, and is unnecessary to reach layer.In the authentication process, the client system doesn’t need an IP address. When the authentication begins, the EAPOL frame uses 01-80-c2-00-00-03 as the destination MAC address, and uses the MAC address of the sender as the source MAC address.
4. Adopt the pure Ethernet technology. It is unnecessary to consider about the encapsulation problem for the packets passed the authentication. Therefore, the efficiency is high and the bottleneck of the network is cleared. 
5. After users passed the authentication, the service flow and the authentication flow are separated, and there is no special requirement for processing the subsequent data packets. The service can be very flexible and has great advantages when developing services like the broadband multicasting. All services are not limited by the authentication mode. Meanwhile, the charging mode can be chose flexibly, and it supports the charging mode which is according to the users’ duration.
6. 802.1X realizes the dispersed access control (realized by the Ethernet switch which is closed to the user and supports the 802.1X protocol) and the centralized authentication management (supports RADIUS and TACACS+ server). The whole authentication structure is harmonious.

Expansions of Standard 802.1X

Maipu series switches not only support the standard 802.1X protocol but also expand and optimize it to meet various application demands.

1. It supports multiple user access via one port. The standard 802.1X protocol is realized based on the port, which means as long as one user of the port is authenticated successfully, other users can use the network sources without authentication. When the user is offline, other users are also denied to use the network. Maipu series switches support the user-based authentication (base on the MAC addresses). When the port is configured as the user-based authentication, each user of the port needs to be authenticated separately, only the user who passed the authentication can use the network source.  If one user is offline, only that user cannot use the network and this doesn’t affect other authenticated users using the network.
2. Support the EAP termination. The standard 802.1X protocol prescribes that the client interacts with the authentication server via EAP packets. The device serves as the “EAP relay” in the interaction. The device encapsulates the EAP data from the client into other protocols, such as Radius protocol, and then transmits it to the authentication server. In the same way, the device encapsulates the EAP data sent from the authentication server into the EAPOL packets and transmits to client.  We call this kind of interactive mode as the EAP relay. The EAP relay requests that the authentication server supports the EAP protocol; otherwise the authentication server cannot interact with the client by using EAP. Consider about the practical application environment, the authentication server that was deployed earlier may not support the EAP protocol. Maipu series switches expand this and support the EAP termination mode. The EAP data from the client is not transmitted directly to the authentication server, but the device completes the EAP interaction with the client and picks up the authentication information of the user and then transmits it to the authentication server to authenticate.

Auto Vlan

After an 802.1X user passed authentication on the server, the server transmits the authorization information to the device. If the server is enabled with the VLAN assigning function, the assigned VLAN information is included in the authorization information. The device adds the port to the assigned VLAN. We call the assigned VLAN as the Auto VLAN.

1. If the RADIUS server authentication information doesn’t have the assigned VLAN information, the attributes of the port VLAN are not changed after the authentication is passed.
2. If RADIUS server authentication information has the assigned VLAN information, judge if the assigned auto VLAN exists after the authentication is passed. If it exists,  add the port into the Auto VLAN with untag mode, and the default VID of the port is the VID of the Auto VLAN; if the Auto VLAN doesn’t exist, the attributes of the port VLAN are not changed, and the authentication is failed.
3. After the user goes offline, the port is returned to the “not authenticated” status and is deleted from the Auto VLAN. The default VID of the port is also returned to the original VID.

The assigned Auto VLAN neither changes nor affects the configuration of a port. However, as the assigned VLAN has higher priority than the user-configured VLAN (that is Config VLAN), it is the Auto VLAN that takes effect after a user passed authentication.  The user configured VLAN takes effect after the user goes offline.

The three radius attributes that associated with the features of assigning VLAN are as follows:

1. [64] Tunnel-Type = VLAN
2. [65] Tunnel-Medium-Type = 802
3. [81] Tunnel-Private-Group-ID = VLAN ID

Note

1. Auto VLAN cannot be applied in dynamic VLAN, for example, if the VLAN ID specified by auto VLAN is the VLAN automatically created by gvrp, the authentication of 802.1x user may fail.
2. To ensure normal application of various functions, assign different VLAN IDs for voice vlan, private vlan, and 802.1x auto vlan.

Guest Vlan

Guest VLAN function is used to permit a not-authenticated user to access some special resources. The user authentication port belongs to a default VLAN (that is Guest VLAN) before it passes the 802.1X authentication.

Users can access the resources of that VLAN without authentication, but cannot access other network resources; after the authentication is passed, the port leaves the Guest VLAN and the user can access other network resources.

Users obtain 802.1X client software from the Guest VLAN to upgrade the client or execute other application upgrade programs (such as anti-virus software’s, operation system mends). After configured the Guest VLAN on a port successfully, the port is added into the Guest VLAN by the device.

After enabled the 802.1X features and correctly configured the Guest VLAN, the port is added into the Guest VLAN with untagged mode. At the time, the user of the port in the Guest VLAN initiates authentication. If the authentication is failed, the port stays in the Guest VLAN; otherwise, two cases may occur:

1. If authentication server assigns a VLAN, the port leaves the Guest VLAN and joins the assigned VLAN. If the user goes offline, the port returns to the Guest VLAN.
2. If the authentication server doesn’t assign any VLAN, the port leaves the Guest VLAN and joins the Config VLAN. If the user goes offline, the port joins the Guest VLAN.

Note

The guest vlan of the port cannot be applied in dynamic vlan, for example, if the VLAN ID specified by guest vlan is the VLAN automatically created by gvrp, the guest vlan can be configured successfully, but it cannot take effect.

In next post I will share 802.1x configuration for Maipu 1800 Router, That router is having inbuilt switch ports. 

Hope this theory information will be useful for you. 

For any feedback and query, Plz put comment with your Name and mail id.