Authentication Steps
Assuming a newly-connecting computer is running one of the above-mentioned 802.1x clients, the following
describes what happens:
1. Once the client’s NIC has established contact with the Switch-port, the client initially sends an “EAP
Start” message, which initiates a series of message-exchanges between the client and the LAN switch.
2. The LAN switch then replies with an “EAP Request Identity” message, basically asking the client to
identify itself. This will usually be in the form of either a system-name or a MAC address.
3. The client then replies with its identity, which the LAN switch encapsulates into an IP packet and
forwards on to the RADIUS server. At this point, the LAN switch still does not allow any IP
connectivity by the client, such as DHCP requests. The LAN-port is basically in a semi -blocked state,
waiting for a reply from the RADIUS server.
4. The RADIUS server then runs some specific algorithm to verify the new client’s identity. This will
usually be some sort of digital certificate, or other similar EAP authentication type.
5. The RADIUS server will then send a message back to the LAN switch, in the form of either an
“Accept” or “Reject” reply.
6. The LAN switch then forwards this reply back to the new client, in the form of an “EAP Success” or
“EAP Reject” message. If it was accepted, the LAN-port is fully opened and DHCP requests, along
with all other IP activity, is allowed. If it was rejected, the port is either shut down, or it is mapped to a
specific, usually external, VLAN.
802.1x is basically just a delivery mechanism. It doesn’t enforce any specific dynamic key management or EAP
types, leaving this up to the RADIUS server and the department managing it.
This all takes place prior to the client making a DHCP request for an IP address. This requires that the RADIUS
server reply in a timely manner. It is possible for the reply from the RADIUS server to delay enough that the
client DHCP request times out. We would need to simulate this to establish what the tolerable wait -time would
be.
Tidak ada komentar:
Posting Komentar