802.1X
This is a protocol which defines port-based access control. 802.1X states following 3 roles..
1. Supplicant = the end point which wants to access the network
2. Authenticator = the point of connection to the network
3. Authentication Server = the server which actually authenticates the users
In wireless world, the AP (or the AP/WLC pair in a centralized network) acts as the authenticator.
Following steps will take place..
First 4 steps are about basic wireless connectivity.
(1) The client sends 802.11 Open Authentication Request
(2) AP sends 802.11 open Authentication Response
(3) The client then sends the Association Request
(4) AP sends Association Response
(2) AP sends 802.11 open Authentication Response
(3) The client then sends the Association Request
(4) AP sends Association Response
At this point AP blocks all traffic from the supplicant until authentication completes..
(5) 802.1X/EAP process starts at this point..
(6) When the 802.1X/EAP process is successful, the client traffic is allowed through the AP..
RADIUS (Remote Dial In User Service) is the main protocol described for the communication in between the authenticator and the authentication server in the 802.1X protocol. This means that the supplicant exchanges the 802.1X messages with the authenticator and the authenticator then translates those 802.1X messages to RADIUS messages and forwards them to a RADIUS server.
So the 802.1X and the RADIUS protocols are the protocols used to transport the authentication dialog between the supplicant and the authentication server.
That authentication dialog is what defined by EAP..
EAP (Extensible Authentication Protocol)
The 802.1X does not contain specific methods for wireless clients to send their credentials to the authentication server, nor does it specify how this authentication should occur. So IEEE added EAP to fulfill this requirement.
EAP only describes the headers that can be used to identify typical packets of an authentication dialog. (request, challenge, success, failure). But the original EAP does not describe the authentication method. The flavors of EAP does..
Different flavors of EAP, identified by different names mention the different authentication methods (the way authentication occurs)..
Ex:-
EAP-TLS : Which uses certificates from both Authentication Server & Supplicant
EAP-PEAP : Which uses certificate from Authentication Server & Credentials from Supplicant
EAP-FAST : Which uses a FAST Authentication Server (Cisco Proprietary)
There are 4 different types of EAP messages.
Type 1 - Request
Type 2 - Response
Type 3 - Success
Type 4 - Failure
EAP messages are encapsulated in EAP over LAN(EAPOL) frames. There are 5 different types of EAPOL frames.
1. Type 0 – EAP Packets (encapsulated EAP frame)
2. Type 1 – EAPOL-Start (optional frame that supplicant can use to start EAP Process)
3. Type 2 – EAPOL-Logoff (this frame terminates an EAP session & shut virtual ports)
4. Type 3 – EAPOL-Key (used to exchange dynamic keying info in 4way-handshake)
5. Type 4 – EAPOL-Encapsulated-ASF-Alert (used to send alerts such as SNMP traps ports)
If you want to know how EAP-TLS works go here.
If you want to know how PEAP works go here.
(5) 802.1X/EAP process starts at this point..
(6) When the 802.1X/EAP process is successful, the client traffic is allowed through the AP..
RADIUS (Remote Dial In User Service) is the main protocol described for the communication in between the authenticator and the authentication server in the 802.1X protocol. This means that the supplicant exchanges the 802.1X messages with the authenticator and the authenticator then translates those 802.1X messages to RADIUS messages and forwards them to a RADIUS server.
So the 802.1X and the RADIUS protocols are the protocols used to transport the authentication dialog between the supplicant and the authentication server.
RADIUS server uses UDP port 1812 for authentication and UDP 1813 for authorization..
That authentication dialog is what defined by EAP..
EAP (Extensible Authentication Protocol)
The 802.1X does not contain specific methods for wireless clients to send their credentials to the authentication server, nor does it specify how this authentication should occur. So IEEE added EAP to fulfill this requirement.
EAP only describes the headers that can be used to identify typical packets of an authentication dialog. (request, challenge, success, failure). But the original EAP does not describe the authentication method. The flavors of EAP does..
Different flavors of EAP, identified by different names mention the different authentication methods (the way authentication occurs)..
Ex:-
EAP-TLS : Which uses certificates from both Authentication Server & Supplicant
EAP-PEAP : Which uses certificate from Authentication Server & Credentials from Supplicant
EAP-FAST : Which uses a FAST Authentication Server (Cisco Proprietary)
There are 4 different types of EAP messages.
Type 1 - Request
Type 2 - Response
Type 3 - Success
Type 4 - Failure
EAP messages are encapsulated in EAP over LAN(EAPOL) frames. There are 5 different types of EAPOL frames.
1. Type 0 – EAP Packets (encapsulated EAP frame)
2. Type 1 – EAPOL-Start (optional frame that supplicant can use to start EAP Process)
3. Type 2 – EAPOL-Logoff (this frame terminates an EAP session & shut virtual ports)
4. Type 3 – EAPOL-Key (used to exchange dynamic keying info in 4way-handshake)
5. Type 4 – EAPOL-Encapsulated-ASF-Alert (used to send alerts such as SNMP traps ports)
If you want to know how EAP-TLS works go here.
If you want to know how PEAP works go here.
You don't need your own Facebook account that'll be attached to the fan page.
ReplyDeleteGiven that, in case you haven't succeeded in doing so
already then dip a toe in the water - social media is the
fastest growing promotional activity inside the Industrial sector - such as the go overboard.
) and the weekly Pages admin updates (so I can maintain your expansion of my Page and my clients' Pages.
These are genuinely great ideas in concerning blogging.
ReplyDeleteYou have touched some nice factors here. Any way keep up
wrinting.
Hi my friend! I wish to say that this post is amazing, nice written and come
ReplyDeletewith approximately all vital infos. I'd like to look more posts
like this .
Hi there, I log on t᧐ your blogs reguⅼarly. Y᧐ur
ReplyDeletewriting ѕtyle is awesome, keep up the good work!
read what he said : How Not To Lock Files
I don't even know how I ended up here, but I thought this post was great.
ReplyDeleteI don't know who you are but certainly you're going to a famous
blogger if you aren't already ;) Cheers!
Oh my goodnesѕ! Awesome articⅼе dude! Thanks, Howevеr
ReplyDeleteI am experiencing difficulties with your RSᏚ. I don't know the reason why
I can't join it. Is there аnybody getting identiсal RSS
issues? Anyone that knows the solution will you kіndly respοnd?
Thanx!!
Web Site : How To Lock Files When NoboԀy Else
Will
Hello еvery one, here evеry person is sharing these kinds of еxperience,
ReplyDeletetherefore it's nice to reаd this weblog, and I uѕed to visit this website all the time.
my blog : How To Lock Files With Minimum Effort And Ѕtill
Leave Peoⲣle Αmazed
hello!,I like your writing very so much! percentage
ReplyDeletewe communicate extra approximately your post on AOL? I require an expert in this area to
unravel my problem. May be that is you! Taking a look forward to peer
you.
Hi there, I enjoy reading all of your article. I wanted to write a
ReplyDeletelittle comment to support you.