802.1x验证过程讲解

802.1x验证过程

1.当用户有上网需求时打开802.1X客户端程序，输入用户名和口令，发起连接请求。此时客户端程序将发出请求认证的报文给交换机，启动一次认证过程。 如下：

Frame 90 (64 bytes on wire, 64 bytes captured) Arrival Time: Nov 27, 2006 16:27:33.446030000 Time delta from previous packet: 3.105345000 seconds Time since reference or first frame: 5.082965000 seconds Frame Number: 90 Packet Length: 64 bytes Capture Length: 64 bytes

Ethernet II, Src: 00:e0:4c:d7:65:cd, Dst: 01:80:c2:00:00:03 Destination: 01:80:c2:00:00:03 (Spanning-tree-(for-bridges)_03) Source: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd) Type: 802.1X Authentication (0x888e)

Trailer: A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5...

Frame check sequence: 0xa5a5a5a5 (incorrect, should be 0xcc6d5b40) 802.1x Authentication Version: 1 Type: Start (1) Length: 0

2.交换机在收到请求认证的数据帧后，将发出一个EAP-Request/Identitybaowe请求帧要求客户端程序发送用户输入的用户名。

Frame 91 (64 bytes on wire, 64 bytes captured) Arrival Time: Nov 27, 2006 16:27:33.447236000 Time delta from previous packet: 0.001206000 seconds Time since reference or first frame: 5.084171000 seconds Frame Number: 91 Packet Length: 64 bytes Capture Length: 64 bytes

Ethernet II, Src: 00:03:0f:01:3a:5a, Dst: 00:e0:4c:d7:65:cd Destination: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd) Source: 00:03:0f:01:3a:5a (DigitalC_01:3a:5a) Type: 802.1X Authentication (0x888e)

Trailer: A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5...

Frame check sequence: 0xa5a5a5a5 (incorrect, should be 0x7d263869) 802.1x Authentication Version: 1

Type: EAP Packet (0) Length: 5

Extensible Authentication Protocol Code: Request (1)

Id: 1 Length: 5

Type: Identity [RFC3748] (1)

3.客户端程序响应交换机的请求，将包含用户名信息的一个EAP-Response/Identity送给交换机，交换机将客户端送来的数据帧经过封包处理后生成RADIUS Access-Request报文送给认证服务器进行处理。

Frame 148 (77 bytes on wire, 77 bytes captured) Arrival Time: Nov 27, 2006 16:27:36.446199000 Time delta from previous packet: 2.998963000 seconds Time since reference or first frame: 8.083134000 seconds Frame Number: 148 Packet Length: 77 bytes Capture Length: 77 bytes

Ethernet II, Src: 00:e0:4c:d7:65:cd, Dst: 01:80:c2:00:00:03 Destination: 01:80:c2:00:00:03 (Spanning-tree-(for-bridges)_03) Source: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd) Type: 802.1X Authentication (0x888e) 802.1x Authentication Version: 1

Type: EAP Packet (0) Length: 59

Extensible Authentication Protocol Code: Response (2) Id: 1 Length: 13

Type: Identity [RFC3748] (1) Identity (8 bytes): 03051020

4.认证服务器收到交换机转发上来的用户名信息后，将该信息与数据库中的用户名表相比对，找到该用户名对应的口令信息，用随机生成的一个加密字Challenge对它进行加密处理（MD5），通过接入设备将RADIUS Access-Challenge报文发送给客户端，其中包含有EAP-Request/MD5-Challenge。

Frame 154 (64 bytes on wire, 64 bytes captured) Arrival Time: Nov 27, 2006 16:27:36.567003000 Time delta from previous packet: 0.120804000 seconds Time since reference or first frame: 8.203938000 seconds Frame Number: 154 Packet Length: 64 bytes Capture Length: 64 bytes

Ethernet II, Src: 00:03:0f:01:3a:5a, Dst: 00:e0:4c:d7:65:cd Destination: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd) Source: 00:03:0f:01:3a:5a (DigitalC_01:3a:5a) Type: 802.1X Authentication (0x888e)

Trailer: A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5...

Frame check sequence: 0xa5a5a5a5 (incorrect, should be 0x4ec1ac73) 802.1x Authentication Version: 1

Type: EAP Packet (0) Length: 22

Extensible Authentication Protocol Code: Request (1) Id: 2 Length: 22

Type: MD5-Challenge [RFC3748] (4) Value-Size: 16

Value: 1CBFEE2149E38D2928DABB4772D285EB

5.客户端收到EAP-Request/MD5-Challenge报文后，用该加密字对口令部分进行加密处理（MD5）给交换机发送在EAP-Response/MD5-Challenge回应，交换机将Challenge，Challenged Password和用户名一起送到RADIUS 服务器进行认证。 Frame 199 (94 bytes on wire, 94 bytes captured) Arrival Time: Nov 27, 2006 16:27:39.446161000 Time delta from previous packet: 2.879158000 seconds Time since reference or first frame: 11.083096000 seconds Frame Number: 199