Shulou(Shulou.com)06/01 Report--

Network authentication is the first function that a user contacts after accessing a network, especially in wireless networks. Now it is almost impossible to find a network that can be accessed without authentication.

There are three common network authentication technologies: 802.1X, MAB, WebAuth. This article will briefly introduce the implementation principles and application scenarios of these technologies.

802.1X

802.1x protocol is a Client/server-based access control and authentication protocol. It can restrict unauthorized users/devices from accessing LAN/WLAN via access ports. 802.1x authenticates users/devices connected to switch ports before acquiring services provided by the switch or LAN. 802.1x only allows EAPoL (Extended Authentication Protocol over local area network) data to pass through the switch port to which the device is connected until authentication is passed; after authentication, normal data can pass smoothly through the Ethernet port.

802.1X is the earliest protocol used for network admission authentication, and it is still widely used today. It is also for this reason that common network devices such as switches, wireless hotspots, and wireless controllers support 802.1X by default.

802.1X protocol is most criticized for its C/S architecture, which means that the terminal equipment that needs to access the network must be able to install client software before it can perform authentication operations. The operation is cumbersome and there are compatibility problems, especially when various manufacturers use a large number of private attributes. In recent years, with the maturity of the protocol and the pressure of customers, the standard version of 802.1X has been greatly improved. Currently, mainstream network equipment manufacturers support the authentication operation of 802.1X clients included in various operating systems, so that there is no need to install third-party client software.

802. 1X-based Sensorless Authentication

The client software included in the operating system supports the functions of automatically detecting wireless networks, automatically connecting and automatically authenticating through saved account passwords, thus realizing a "non-aware" authentication experience for end users.

WebAuth

WebAuth is also known as WebPortal authentication, and its implementation process is as follows: before user authentication, regardless of accessing any address, it will be redirected to a specified page (called Portal), and you need to enter the account password on this Portal page for authentication. After authentication, you can successfully surf the Internet. Compared with 802.1X, the background is still Radius protocol, but the part interacting with users has changed from EAPoL to Http.

The benefits of WebAuth are obvious, that is, no client needs to be installed, in other words, it is a B/S architecture authentication method. Another very obvious benefit is that WebAuth provides a Portal page to interact with users, so based on this authentication page you can make a lot of articles, which is why all public wireless networks now use WebAuth authentication, merchants will push some advertisements, notifications, etc. through Portal pages, because this is the only way for users to access the Internet, so the effect of displaying advertisements here is very good.

WebAuth can also be derived from a variety of authentication forms, these forms are different only in the elements used for authentication, and the authentication mode itself is WebAuth, for example, authentication using SMS verification codes, such as authentication using Weixin Official Accounts, etc., which are also extended and designed according to the information that the authentication provider hopes to collect.

MAB

MAB stands for Mac Address Bypass. The 802.1X and WebAuth authentication methods mentioned above require the authenticated terminal to input the specified account and password, but for some dumb devices, this is impossible, such as network printers, IP phones, etc. MAB authentication method is introduced for the authentication of these devices. The authentication process of the MAB is as follows: when a device accesses the network, the access network device obtains the MAC address of the device and initiates verification by itself; the Radius server in the background verifies whether the MAC address is preset in the system; if the MAC address is preset, the access network device is notified to release the terminal; if not, the network access of the device is rejected.

Authentication sequence FlexAuth

The above three network access authentication methods can be used in combination. Cisco calls it FlexAuth, i.e. authentication sequence. Advanced authentication systems such as Cisco ISE, Sharp SMP and SAM all support this authentication method. Two or more authentication methods can be configured on the same network interface at the same time, and the priority can be set to achieve unexpected results, as mentioned below:

WebAuth non-aware authentication

WebAuth does not need to install a client, but it is still cumbersome to enter an account password every time you surf the Internet. For regular users (such as enterprise employees), FlexAuth can be implemented by combining MAB and WebAuth: MAB and WebAuth are configured on the same interface. MAB has the highest priority, followed by WebAuth. When the user accesses for the first time, it is judged whether the MAC address authentication can be passed. If the MAC address authentication cannot be passed, that is, there is no MAC address in the authentication system, a Portal page will pop up to allow the user to authenticate through the account password. If the authentication is passed this time, it means that the user is legal, and the MAC address of the user is recorded at the same time. When the user accesses the network for the second time or later, priority is still given to judging the validity of the MAC address. Since the user has registered the MAC address during the first access, the user is MAB after the second time, and the final experience for the user is a non-aware authentication mode.

The above is an introduction to three common network authentication technologies and their extensions, hoping to be useful to everyone.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.