802.1x验证过程讲解.doc

802.1x验证过程1.当用户有上网需求时打开802.1X客户端程序，输入用户名和口令，发起连接请求。此时客户端程序将发出请求认证的报文给交换机，启动一次认证过程。 如下：Frame 90 (64 bytes on wire, 64 bytes captured)Arrival Time: Nov 27, 2006 16:27:33.446030000Time delta from previous packet: 3.105345000 secondsTime since reference or first frame: 5.082965000 secondsFrame Number: 90Packet Length: 64 bytesCapture Length: 64 bytesEthernet II, Src: 00:e0:4c:d7:65:cd, Dst: 01:80:c2:00:00:03Destination: 01:80:c2:00:00:03 (Spanning-tree-(for-bridges)_03)Source: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)Type: 802.1X Authentication (0x888e)Trailer: A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5.Frame check sequence: 0xa5a5a5a5 (incorrect, should be 0xcc6d5b40)802.1x AuthenticationVersion: 1Type: Start (1)Length: 02.交换机在收到请求认证的数据帧后，将发出一个EAP-Request/Identitybaowe请求帧要求客户端程序发送用户输入的用户名。Frame 91 (64 bytes on wire, 64 bytes captured)Arrival Time: Nov 27, 2006 16:27:33.447236000Time delta from previous packet: 0.001206000 secondsTime since reference or first frame: 5.084171000 secondsFrame Number: 91Packet Length: 64 bytesCapture Length: 64 bytesEthernet II, Src: 00:03:0f:01:3a:5a, Dst: 00:e0:4c:d7:65:cdDestination: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)Source: 00:03:0f:01:3a:5a (DigitalC_01:3a:5a)Type: 802.1X Authentication (0x888e)Trailer: A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5.Frame check sequence: 0xa5a5a5a5 (incorrect, should be 0x7d263869)802.1x AuthenticationVersion: 1Type: EAP Packet (0)Length: 5Extensible Authentication Protocol Code: Request (1) Id: 1 Length: 5 Type: Identity RFC3748 (1)3.客户端程序响应交换机的请求，将包含用户名信息的一个EAP-Response/Identity送给交换机，交换机将客户端送来的数据帧经过封包处理后生成RADIUS Access-Request报文送给认证服务器进行处理。Frame 148 (77 bytes on wire, 77 bytes captured)Arrival Time: Nov 27, 2006 16:27:36.446199000Time delta from previous packet: 2.998963000 secondsTime since reference or first frame: 8.083134000 secondsFrame Number: 148Packet Length: 77 bytesCapture Length: 77 bytesEthernet II, Src: 00:e0:4c:d7:65:cd, Dst: 01:80:c2:00:00:03Destination: 01:80:c2:00:00:03 (Spanning-tree-(for-bridges)_03)Source: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)Type: 802.1X Authentication (0x888e)802.1x AuthenticationVersion: 1Type: EAP Packet (0)Length: 59Extensible Authentication Protocol Code: Response (2) Id: 1 Length: 13 Type: Identity RFC3748 (1) Identity (8 bytes): 030510204.认证服务器收到交换机转发上来的用户名信息后，将该信息与数据库中的用户名表相比对，找到该用户名对应的口令信息，用随机生成的一个加密字Challenge对它进行加密处理（MD5），通过接入设备将RADIUS Access-Challenge报文发送给客户端，其中包含有EAP-Request/MD5-Challenge。Frame 154 (64 bytes on wire, 64 bytes captured)Arrival Time: Nov 27, 2006 16:27:36.567003000Time delta from previous packet: 0.120804000 secondsTime since reference or first frame: 8.203938000 secondsFrame Number: 154Packet Length: 64 bytesCapture Length: 64 bytesEthernet II, Src: 00:03:0f:01:3a:5a, Dst: 00:e0:4c:d7:65:cdDestination: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)Source: 00:03:0f:01:3a:5a (DigitalC_01:3a:5a)Type: 802.1X Authentication (0x888e)Trailer: A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5.Frame check sequence: 0xa5a5a5a5 (incorrect, should be 0x4ec1ac73)802.1x AuthenticationVersion: 1Type: EAP Packet (0)Length: 22Extensible Authentication Protocol Code: Request (1) Id: 2 Length: 22 Type: MD5-Challenge RFC3748 (4) Value-Size: 16 Value: 1CBFEE2149E38D2928DABB4772D285EB5.客户端收到EAP-Request/MD5-Challenge报文后，用该加密字对口令部分进行加密处理（MD5）给交换机发送在EAP-Response/MD5-Challenge回应，交换机将Challenge，Challenged Password和用户名一起送到RADIUS 服务器进行认证。Frame 199 (94 bytes on wire, 94 bytes captured)Arrival Time: Nov 27, 2006 16:27:39.446161000Time delta from previous packet: 2.879158000 secondsTime since reference or first frame: 11.083096000 secondsFrame Number: 199Packet Length: 94 bytesCapture Length: 94 bytesEthernet II, Src: 00:e0:4c:d7:65:cd, Dst: 01:80:c2:00:00:03Destination: 01:80:c2:00:00:03 (Spanning-tree-(for-bridges)_03)Source: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)Type: 802.1X Authentication (0x888e)802.1x AuthenticationVersion: 1Type: EAP Packet (0)Length: 76Extensible Authentication Protocol Code: Response (2) Id: 2 Length: 30 Type: MD5-Challenge RFC3748 (4) Value-Size: 16 Value: CBAC378ABB609123D2BB412840AEC614 Extra data (8 bytes): 30333035313032306.认证服务器将送上来的加密后的口令信息和其自己经过加密运算后的口令信息进行对比，判断用户是否合法，然后回应认证成功/失败报文到接入设备。如果认证成功，则向交换机发出打开端口的指令，允许用户的业务流通过端口访问网络。否则，保持交换机端口的关闭状态，只允许认证信息数据通过。Frame 205 (243 bytes on wire, 243 bytes captured)Arrival Time: Nov 27, 2006 16:27:39.632706000Time delta from previous packet: 0.186545000 secondsTime since reference or first frame: 11.269641000 secondsFrame Number: 205Packet Length: 243 bytesCapture Length: 243 bytesEthernet II, Src: 00:03:0f:01:3a:5a, Dst: 00:e0:4c:d7:65:cdDestination: 00:e0:4c