I recently spent a week studying the 802.1X protocol, and here is a summary of my study.
802.1X is a Client/Server-based access control protocol, referred to as dot1x. In layman's terms, it is an authentication technology. How is it authenticated? Connect a port on the switch to the PC and enable the 802.1X function of the switch port. The PC needs to enter the correct user name and password to pass the server authentication before it can access the network. So, the PPPoE we are familiar with is similar to this method. What is the difference between them? Let’s not talk about it for now, let’s talk about the 802.1X protocol. Here we call the PC the client and the switch the device.
Where there is a protocol, there are packets. The data packets corresponding to 802.1X are EAP (Extensible Authentication Protocol) and EAPOL (Extensible Authentication Protocol over LAN). EAPOL is an encapsulation of EAP (the packets can be seen) Enables it to be transmitted in the form of broadcast packets or multicast packets in the LAN. The EAP packet is used to authenticate with the remote RADIUS (Remote Dial-up Access Service System) server. Radius packets are used to exchange information between the device and the authentication server.
Environment topology diagram
Setting up the environment
1. PC with 802.1X client installed (H3C 802.1X client)
2 , a switch (H3C5120) that supports 802.1X function
3. Experimental network
4. A PC equipped with Radius server (the Radius server I use here is tekradius, The installation and usage steps will not be described in detail. You can refer to Baidu's "TekRadius Installation and Use Summary")
After installing tekradius, add the account h3c password h3c in the users menu, and add NAS (network access) in the clients menu Server) 182.16.218.44, secret is h3c, this key is the key used for all exchanges of information between the device and the radius server. This key is used when creating a radius template on the switch. Vendor is ietf (you can also choose the corresponding manufacturer. For example, for Huawei 3 switches here, I can choose H3C), and Enabled is yes.
Configuring the H3C5120 switch
Before configuring the switch, let us first understand AAA. AAA stands for authentication, authorization, and accounting. 802.1X is a technology of AAA and is included in AAA. So when we configure the 802.1X function of the switch, we can also say that we are configuring the AAA of the switch.
1. Enable the switch to ping the radius server
[H3C]interface Vlan-interface 1
[H3C-Vlan-interface1]ip address dhcp-alloc
[H3C-Vlan-interface1]quit
[H3C]ping 182.16.91.91
PING 182.16.91.91: 56? data bytes, press CTRL_C to break
Reply from 182.16.91.91: bytes=56 Sequence=1 ttl=127 time=4 ms
Reply from 182.16.91.91: bytes=56 Sequence=2 ttl=127 time= 4 ms
Reply from 182.16.91.91: bytes=56 Sequence=3 ttl=127 time=5 ms
2. Create radius related parameter template
[ H3C]radius scheme cxd
New Radius scheme
[H3C-radius-cxd]primary authentication 182.16.218.44 #The primary authentication server is 182.16.218.44
[ H3C-radius-cxd]primary accounting 182.16.218.44 #The primary accounting server is 182.16.218.44
[H3C-radius-cxd]key authentication h3c ?#The shared key for communication with radius authentication is h3c
[H3C-radius-cxd]key accounting h3c ? #The shared key for communication with radius accounting is h3c
[H3C-radius-cxd]timer realtime-accounting 15 #The time interval for the system to resend messages to the RADIUS server
[H3C-radius-cxd]timer response-timeout 5 #The number of times the system resends messages to the RADIUS server
[H3C -radius-cxd]user-name-format without-domain ?#When the switch sends the user name to the radius server, remove the related domain name
[H3C-radius-cxd]retry 5
3. Create a domain? This is difficult to understand. AAA manages users based on domains, so switches also manage users based on domains. One domain can use one radius template, and different domains can use different domain templates. Then users can be classified by dividing them into different domains.
[H3C]domain h3c
New Domain added.
[H3C-isp-h3c]authentication default radius-scheme cxd #The template used for authentication is cxd
[H3C-isp-h3c]authorization default radius-scheme cxd ? #The template used for authorization is cxd
[H3C-isp-h3c]accounting default radius-scheme cxd ?#The template used for billing is cxd
[H3C-isp-h3c]access-limit enable 1000 ? #Access user limit is 1000
[H3C]domain default enable h3c #The default domain enablement is h3c
4. Enable dot1x function globally and on the port (dot1x is the abbreviation of 802.1X)
[H3C]dot1x
802.1 x is enabled globally.
[H3C]interface GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1]dot1x
802.1x is enabled on port GigabitEthernet1/0/1.
Verification results
Summary
1. AAA manages users based on domains
2 , create a user domain and enable it as the default domain.
3. 802.1X is an implementation technology of AAA
802.1X local authentication
Since it is local authentication, there is no need to rely on the remote radius The server is installed, so the authentication process is relatively simple.
1. Create a local authentication account Local-user account for local authentication.
2. Create a dot1x authentication domain and reference the local account in the domain
3. Enable global 802.1x functions and 802.1x functions that require authentication ports
Create a local authentication account
[H3C]local-user h3c
New local user added.
[H3C-luser-h3c]password simple h3c
p>[H3C-luser-h3c]service-type lan-access
Create domain
H3C]domain h3c
New Domain added.
[H3C-isp-h3c]display domain h3c
Domain = h3c
State = Active
Access-limit = Disabled
Accounting method = Required
Default authentication scheme ? : local
Default authorization scheme ? : local
Default accounting scheme ? : local
Domain User Template:
Idle-cut = Disabled
Self-service = Disabled
[H3C-isp-h3c]quit
[H3C]domain default enable h3c
Enable dot1x function globally and on the port (dot1x is the abbreviation of 802.1X)
[H3C]dot1x
802.1x is enabled globally.
[H3C]interface GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1]dot1x
802.1x is enabled on port GigabitEthernet1/0/1.
802.1X local authentication and remote authentication are used together
Usage scenario: enable local when the device cannot connect to the remote radius server Certification.
Modify the domain configuration command (first configure the correct radius template and local account)
[H3C-isp-h3c]authentication default radius-scheme cxd local
[H3C-isp-h3c]authorization default radius-scheme cxd local
[H3C-isp-h3c]accounting default radius-scheme cxd local
At this time, stop the radius server. Click 802.1X Client to connect. You will find that after you try to submit a request message to the radius server and there is no response, you will immediately adopt local authentication to pass.