1 Background
The cost-effectiveness of Ethernet and the media characteristics have gradually become the dominant access technology for home, enterprise LAN, and telecommunications-grade metropolitan area networks. Moreover, with the emergence of 10 Gbit/s Ethernet technology, Ethernet technology will also gain a place within the wide area network range. Telecom operators and broadband access providers have begun to provide access services based on Ethernet or pure Ethernet. For most services in Ethernet networks, operators cannot physically fully control client devices or media. In order for operators to achieve operational and manageable broadband services, they must logically control users or user equipment. This control process is mainly implemented through authentication and authorization of users and user equipment. Generally speaking, the types of services that require certification and authorization include:
(1) Ethernet metropolitan area network services provided to multi-user systems. These services include typical TLS services, L2 or L3 VPN services. In this service networking environment, the client front-end switch is shared by multiple users within the same building.
(2) In hot spots (such as airports, shopping malls, schools and restaurants) that provide wireless Ethernet access with IEEE 802.11a and IEEE 802.1b, access authentication is required based on each user equipment or user to prevent unauthorized users from accessing.
(3) DSL service and IP Ethernet access network based on ATM RFC 1483.
(4) Based on EFM (Ethernet in the First Mile, IEEE 802.3ah) EPON access and EoVDSL services.
(5) Shared RF channel access method of cahle based on Ethernet.
2 Technical Analysis of IEEE 802.1x Protocol
IEEE officially promulgated the IEEE 802.1x standard in 2001, for user/equipment access authentication based on Ethernet LAN, metropolitan area network and various broadband access methods. This authentication adopts user access control technology based on Ethernet ports. Only users allowed and authorized by the network system can access various services of the network system (such as Ethernet connection, network layer routing, Internet access and other services). It can not only overcome many problems of the PPPoE method, but also avoid the huge investment brought by the introduction of centralized broadband access servers.
The 802.1x protocol is based on the Client/Server access control and authentication protocol. It can restrict unauthorized users/device to access LAN/MAN via access ports. 802.1x authenticates users/device connected to switch ports before obtaining various services provided by a switch or LAN. Before the authentication is passed, 802.1x only allows EAPoL (Extended Authentication Protocol based on LAN) data to be connected to the switch port; after the authentication is passed, normal data can be smoothly passed through the Ethernet port.
An Extended Authentication Protocol (EAP) agent is placed on the Ethernet switch on the user side, and the user PC runs EAPoL (EAP over LAN) client software to communicate with the switch. The core part of network access technology is PAE (Port Access Entity). In the access control process, the port access entity includes three parts: authenticator (port that authenticates the accessed user/device), requestor (authenticated user/device) and authentication server (device that performs actual authentication function on the user/device requesting access to network resources based on the authenticator's information).
Each physical port of Ethernet is divided into two logical ports, controlled and uncontrolled, and each frame received by the physical port is sent to the controlled and uncontrolled ports. Access to controlled ports is limited by the authorization status of controlled ports. The PAE of the authenticator controls the authorization/unauthorization status of the "controlled port" based on the results of the authentication server authentication process. Control port in an unauthorized state denies access to users/device.
2.1 802.1x certification features
The 802.1x protocol based on Ethernet port authentication has the following features:
(1) The IEEE 802.1x protocol is a layer two protocol and does not need to reach layer three. It does not require high overall performance of the equipment, which can effectively reduce the cost of network construction.
(2) Borrowing the EAP (Extended Authentication Protocol) commonly used in RAS systems can provide good scalability and adaptability and achieve compatibility with the traditional PPP authentication architecture.
(3) The 802 1x authentication architecture adopts the logical functions of "controllable port" and "uncontrollable port", so that service and authentication can be separated. RADIUS and the switch use uncontrollable logical ports to jointly complete the authentication and control of users. The service packets are directly carried on normal layer two messages and exchanged through controllable ports. The authenticated data packets are pure data packets that do not require encapsulation.
(4) The existing backend authentication system can be used to reduce the deployment cost and have rich business support.
(5) Different user authentication levels can be mapped to different VLANs.
(6) The switch ports and wireless LANs can be made to have secure authentication access functions.
2.2 802.1x application environment
2.2.1 Switched Ethernet network environment
With the continuous evolution of Ethernet technology, the network architecture of local area networks and metropolitan area networks has evolved into a fully switched network environment. In a switched Ethernet network, user equipment is generally directly connected through a dedicated Class 5 cable and the port connected to the Ethernet switch. Generally, a user equipment corresponds to a physical port connected to the Ethernet switch. In this network architecture, the physical port connected to the Ethernet switch can keenly detect the usage of the user equipment, and make judgments on the device authentication status based on the conditions of the equipment and lines, and take corresponding actions. The biggest problem facing this network structure is the occurrence of "mounting" situations. The so-called "mounting" means that when using 802.1x authentication, if a shared device is used between the user network and the access Ethernet switch, then as long as a device/user on the user network passes the access switch and opens the network access rights of the port, other unauthorized authorized users/equipments on the user network can obtain network access rights.
For switched Ethernet networks, point-to-point physical connections are used between users and the network, and users are isolated from each other through VLAN. In this network environment, the key to network management control is user access control, and 802.1x does not need to provide too many security mechanisms.
2.2.2 Shared network environment
When 802.1x is applied to a shared network environment, in order to prevent problems similar to "mounting" in a shared network environment, it is necessary to further expand the PAE entity from a physical port to multiple independent logical ports. The logical port forms a one-to-one correspondence relationship with the user/device, and the authentication process and results between each logical port are independent of each other. In a shared network, users share access physical media, and the management control of the access network must take into account both user access control and user data security. The security measures that can be adopted are to encrypt and encapsulate EAPoL and other data of the user.
In a shared Ethernet environment with wireless LAN IEEE 802.1la and 802.11b as examples, an association relationship needs to be established between the client device and a specific AP. Based on the MAC address of the client device and the AP device, the association between the client device and the AP also includes a unicast session key. Since the MAC address of the client device is unique, the MAC address association and unicast session keys are unique based on the client device and the AP. This key creates independent logical ports for terminals in each wireless partition on the AP. After the logical port is established, the AP can use 802.1x authentication to user terminals belonging to independent logical ports. Authentication solutions such as EAP-TLS and EAP-TTLS can also solve the security problems caused by the use of static WEP in wireless LANs. Using EAP-TLS and EAP-TILLS, users can dynamically generate new WEP keys on each connection. Moreover, during the user connection, new keys can be dynamically generated at certain intervals. In an actual network environment, the security defects caused by WEP static allocation keys can be compensated by accelerating the WEP key redistribution cycle.
2.3 Security analysis of 802.1x certification
IEEE 802.1x, like PPP, uses the EAP protocol as the authentication information interaction mechanism, and EAP messages are encapsulated in EAPoL packets. As an authentication message bearer mechanism, EAP can allow a flexible solution between the authenticator and the requester to authenticate, and has good compatibility with more advanced and reasonable authentication technologies that will emerge in the future. These features of EAP are mainly implemented by extending the "EAP type" domain defined by the manufacturer in EAP. The authentication types defined in the "EAP type" domain can meet the security needs of different levels of authentication. Currently, EAP types that can be used include EAP-MD5, EAP-TLS, EAP-TFLS, PEAP and LEAP.
The EAP-MD5 method is to provide simple centralized user authentication through the RADIUS server. Its server does not require certificates or other security information in the wireless workstation. When the user registers, the server only checks the user name and password. If it matches, it will notify the client to access the network service. Since EAP-MD5 only provides authentication, for security reasons, it should be used in combination with the standard 802.11 security protocol WEP/WEP2, and encryption is achieved using a 40-bit/128-bit shared key. This is a one-way authentication mechanism that can only ensure client-to-server authentication, and does not guarantee server-to-client authentication.
The EAP-TLS method provides a certificate-based two-way authentication. In addition to the session number (Session ID) assigned between the host and the server at the time of connection establishment, it requires a pre-issued authentication certificate on the client and server side through a secure connection. EAP-TLS provides both authentication and dynamic session key distribution. The RA-DIUS server needs to support EAP-TLS authentication and authentication certificate management capabilities. TLS supports two-way authentication, that is, network (EAP-TLS server) authenticates end users (Client), and end users authenticates network. Only after the two-way authentication is passed, the server sends an EAP-Success message to the access authentication point, instructing the user terminal to send and receive data flows. This message also triggers encryption of the data stream, and the terminal does not send data until the encryption key is established.
EAP-TTLS is a traditional authentication mechanism that allows the traditional username and password based authentication mechanism, similar to the authentication mechanism that works in collaboration with CHAP (Challenge Handshake Authentication Protocol), PAP, One Time Password and EAP authentication. The client uses the digital certificate provided by the TTLS server to authenticate the network side. This process is a simulation of the secure web server method. Once the authentication tunnel is established, authentication of the secure end user begins. EAP-TTLS can ensure consistency of end users in wireless access media and prevent anonymous users from illegally using the network. Like EAP-TLS, the server sends an EAP-Success message to the access authentication point only after the two-way authentication is passed, indicating that the user terminal can send and receive data flow. This message also triggers encryption of the data stream, and the terminal does not send data until the encryption key is established.
2.4 Advantages of 802.1x certification
Combining the technical characteristics of IEEE 802.1x, it has the following advantages:
(1) Concise and efficient. The pure Ethernet technology core maintains the connectionless feature of IP networks and does not require multi-layer encapsulation between protocols. It eliminates unnecessary overhead and redundant and expensive multi-service gateway equipment, eliminates network authentication billing bottlenecks and single point of failure, and is easy to support multi-service and emerging streaming services.
(2) Easy to achieve. It can be implemented on ordinary L3, L2, and IP DSLAM. The comprehensive network construction cost is low, and the traditional AAA certified network architecture can be retained, and existing RADIUS devices can be used.
(3) Safe and reliable. Implement user authentication on a layer 2 network, combining MAC, port, account, VLAN and password, binding technology has high security. In the wireless LAN network environment, 802.1x combined with EAP-TLS and EAP-TTLS can realize dynamic allocation of WEP certificate keys and overcome security vulnerabilities in wireless LAN access.
(4) Industry standards. The IEEE standard and the Ethernet standard are the same, and can achieve seamless integration with Ethernet technology. Almost all the equipment of mainstream data device manufacturers (including routers, switches, wireless APs, etc.) provide support for this protocol. In terms of client side, both Linux and Microsoft's Windows XP operating systems have supported this protocol.
(5) Flexible application. The granularity of authentication can be flexibly controlled, used to authenticate a single user connection, user ID or access equipment. The authentication levels can be flexibly combined to meet the needs of specific access technologies or services.
(6) Easy to operate. The control flow and business flow are completely separated, making it easy to achieve cross-platform multi-service operations. A small number of single-charge networks such as traditional monthly packages can be upgraded to an operation-level network, and the operating costs of the network are also expected to be reduced.
3. Application suggestions for 802.1x in telecommunications-grade IP broadband networks
The overall architecture of 802.1x authentication in telecommunications-grade broadband networks is shown in Figure 2. According to the previous analysis of the technical characteristics and technical advantages of 802.1x, the author believes that the following five principles should be followed for the application of 802.1x in telecommunications-grade networks.
3.1 Using WLAN as the breakthrough port
The application of 802.1x certification technology in telecommunications-grade broadband networks should be based on WLAN as a breakthrough. 802.1x technology has conducted a lot of research and exploration on technologies that provide certification based on WLAN from the beginning. The time period of WLAN equipment is used in large quantities and the 802.1x protocol standard is basically synchronized. At present, WLAN AP devices of most manufacturers can support 802.1x certification; from a technical perspective, WLAN is a shared Ethernet access network, and the security problems and user control it faces are more difficult to solve than wired Ethernet access. As a new application on broadband networks, WLAN has no historical burden and is not restricted by existing network conditions when network reduction and device selection. The above reasons determine that WLAN is the vanguard of the application of 802.1x technology.
3.2. Verification marginalization and distribution
Authentication marginalization fully utilizes the advantages of 802.1x port-based authentication. The so-called authentication marginalization refers to setting the location of the authentication device in the network to directly interface with the user equipment/network. The marginalized authentication device can sense and monitor the link connection status between the authentication device and the user equipment. According to the changes in the link status, the authentication device can adopt corresponding strategies and actively require the user/equipment to initiate authentication. The ability to perceive link status is also the basis for the operator to conduct network fault detection and network operation and maintenance smoothly. It can be said that the marginalization of authentication has solved the problem of line maintenance and fault diagnosis in broadband access networks. Users can achieve isolation in the local access network segment, and do not need to be isolated from the second layer of the network between the user and the access authentication server, which reduces the complexity of the switch running VLANs and makes it easier to plan, manage and control network traffic. The marginalization of authentication means the distribution of authentication devices, which can avoid the network performance and network reliability bottlenecks brought about by centralized PPPoE authentication.
3.3 Centralized user management
Although 802.1x uses distributed authentication, it is recommended to use a centralized approach when managing users. The scope of centralized user management includes wired access users and wireless access users. On the one hand, centralized authentication is easy to manage and maintain, ensuring the consistency of user information within a single management domain; on the other hand, centralized and unified user management provides prerequisites for roaming between user accounts with different access means, and users face a unified interface when switching between different networks or access types. Centralized user management is also adopted in PPPoE authentication. By upgrading the existing RADIUS equipment, 802.1x can completely inherit the PPPoE authentication system, avoiding large-scale adjustments to the network structure, and making the project easy to implement.
3.4 Multi-service access, taking into account the characteristics of network technology
802.1x is an integral part of the IEEE Ethernet protocol family, and its application scope covers pure Ethernet or multi-service access methods such as WLAN, xDSL, Class 5 lines, Cable and EPON. Taking xDSL technology as an example, on the one hand, pure Ethernet xDSL access means such as EoVDSL have emerged. On the other hand, in the ATM-based xDSL technology, the emergence of IP DSLAM and its three-layer routing function requirements make 802.1x the best choice to meet the needs. It is worth noting that switched Ethernet and shared Ethernet have different technical characteristics, and they must be taken into account when applying 802.1x.
3.5 Gradually replace PPPoE
802.1x technology represents the trend of telecommunications-grade broadband network development, namely, authentication and service separation, and supports multiple services. The flaws of PPPoE are destined to be the transitional role. In fact, PPPoE was also used as a stopgap measure to broadband network access authentication, but 802.1x replaced PPPoE was a gradual process. The current network situation is a problem we have to consider. The most important problem is that the corridor switch functions are simple and does not support 802.1x. To solve this problem, you can consider the following methods: First, software upgrade of the corridor switch to support 802.1x; Second, improve the 802.1x protocol so that EAP can be carried on VLAN, 802.1x authentication is performed on the aggregation layer switch, and downstream layer 2 switches use VLAN for user isolation. Ultimately, authentication marginalization requires user-oriented access devices, which can directly implement management and control of user access.
4 Conclusion
With the increasing application scope of Ethernet technology in broadband networks, various services based on Ethernet technology have emerged and become the main body of broadband network services. In the field of broadband access, pure Ethernet or Ethernet-related access technologies have become a major trend in the development of access networks. As an integral part of the IEEE protocol family, 802.1x technology provides an access control method based on port, authentication and service separation, high flexibility and strong adaptability in the Ethernet network environment. Compared with the PPPoE solution widely used at this stage, 802.1x not only has good compatibility with Ethernet technology, but also has excellent multi-service support capabilities and diversified statistical billing capabilities. However, at this stage, 802.1x still has some shortcomings in the application of 802.1x to telecom broadband networks, but as it continues to improve and mature, the 802.1x protocol will become an indispensable part of telecom broadband networks.
The cost-effectiveness of Ethernet and the media characteristics have gradually become the dominant access technology for home, enterprise LAN, and telecommunications-grade metropolitan area networks. Moreover, with the emergence of 10 Gbit/s Ethernet technology, Ethernet technology will also gain a place within the wide area network range. Telecom operators and broadband access providers have begun to provide access services based on Ethernet or pure Ethernet. For most services in Ethernet networks, operators cannot physically fully control client devices or media. In order for operators to achieve operational and manageable broadband services, they must logically control users or user equipment. This control process is mainly implemented through authentication and authorization of users and user equipment. Generally speaking, the types of services that require certification and authorization include:
(1) Ethernet metropolitan area network services provided to multi-user systems. These services include typical TLS services, L2 or L3 VPN services. In this service networking environment, the client front-end switch is shared by multiple users within the same building.
(2) In hot spots (such as airports, shopping malls, schools and restaurants) that provide wireless Ethernet access with IEEE 802.11a and IEEE 802.1b, access authentication is required based on each user equipment or user to prevent unauthorized users from accessing.
(3) DSL service and IP Ethernet access network based on ATM RFC 1483.
(4) Based on EFM (Ethernet in the First Mile, IEEE 802.3ah) EPON access and EoVDSL services.
(5) Shared RF channel access method of cahle based on Ethernet.
2 Technical Analysis of IEEE 802.1x Protocol
IEEE officially promulgated the IEEE 802.1x standard in 2001, for user/equipment access authentication based on Ethernet LAN, metropolitan area network and various broadband access methods. This authentication adopts user access control technology based on Ethernet ports. Only users allowed and authorized by the network system can access various services of the network system (such as Ethernet connection, network layer routing, Internet access and other services). It can not only overcome many problems of the PPPoE method, but also avoid the huge investment brought by the introduction of centralized broadband access servers.
The 802.1x protocol is based on the Client/Server access control and authentication protocol. It can restrict unauthorized users/device to access LAN/MAN via access ports. 802.1x authenticates users/device connected to switch ports before obtaining various services provided by a switch or LAN. Before the authentication is passed, 802.1x only allows EAPoL (Extended Authentication Protocol based on LAN) data to be connected to the switch port; after the authentication is passed, normal data can be smoothly passed through the Ethernet port.
An Extended Authentication Protocol (EAP) agent is placed on the Ethernet switch on the user side, and the user PC runs EAPoL (EAP over LAN) client software to communicate with the switch. The core part of network access technology is PAE (Port Access Entity). In the access control process, the port access entity includes three parts: authenticator (port that authenticates the accessed user/device), requestor (authenticated user/device) and authentication server (device that performs actual authentication function on the user/device requesting access to network resources based on the authenticator's information).
Each physical port of Ethernet is divided into two logical ports, controlled and uncontrolled, and each frame received by the physical port is sent to the controlled and uncontrolled ports. Access to controlled ports is limited by the authorization status of controlled ports. The PAE of the authenticator controls the authorization/unauthorization status of the "controlled port" based on the results of the authentication server authentication process. Control port in an unauthorized state denies access to users/device.
2.1 802.1x certification features
The 802.1x protocol based on Ethernet port authentication has the following features:
(1) The IEEE 802.1x protocol is a layer two protocol and does not need to reach layer three. It does not require high overall performance of the equipment, which can effectively reduce the cost of network construction.
(2) Borrowing the EAP (Extended Authentication Protocol) commonly used in RAS systems can provide good scalability and adaptability and achieve compatibility with the traditional PPP authentication architecture.
(3) The 802 1x authentication architecture adopts the logical functions of "controllable port" and "uncontrollable port", so that service and authentication can be separated. RADIUS and the switch use uncontrollable logical ports to jointly complete the authentication and control of users. The service packets are directly carried on normal layer two messages and exchanged through controllable ports. The authenticated data packets are pure data packets that do not require encapsulation.
(4) The existing backend authentication system can be used to reduce the deployment cost and have rich business support.
(5) Different user authentication levels can be mapped to different VLANs.
(6) The switch ports and wireless LANs can be made to have secure authentication access functions.
2.2 802.1x application environment
2.2.1 Switched Ethernet network environment
With the continuous evolution of Ethernet technology, the network architecture of local area networks and metropolitan area networks has evolved into a fully switched network environment. In a switched Ethernet network, user equipment is generally directly connected through a dedicated Class 5 cable and the port connected to the Ethernet switch. Generally, a user equipment corresponds to a physical port connected to the Ethernet switch. In this network architecture, the physical port connected to the Ethernet switch can keenly detect the usage of the user equipment, and make judgments on the device authentication status based on the conditions of the equipment and lines, and take corresponding actions. The biggest problem facing this network structure is the occurrence of "mounting" situations. The so-called "mounting" means that when using 802.1x authentication, if a shared device is used between the user network and the access Ethernet switch, then as long as a device/user on the user network passes the access switch and opens the network access rights of the port, other unauthorized authorized users/equipments on the user network can obtain network access rights.
For switched Ethernet networks, point-to-point physical connections are used between users and the network, and users are isolated from each other through VLAN. In this network environment, the key to network management control is user access control, and 802.1x does not need to provide too many security mechanisms.
2.2.2 Shared network environment
When 802.1x is applied to a shared network environment, in order to prevent problems similar to "mounting" in a shared network environment, it is necessary to further expand the PAE entity from a physical port to multiple independent logical ports. The logical port forms a one-to-one correspondence relationship with the user/device, and the authentication process and results between each logical port are independent of each other. In a shared network, users share access physical media, and the management control of the access network must take into account both user access control and user data security. The security measures that can be adopted are to encrypt and encapsulate EAPoL and other data of the user.
In a shared Ethernet environment with wireless LAN IEEE 802.1la and 802.11b as examples, an association relationship needs to be established between the client device and a specific AP. Based on the MAC address of the client device and the AP device, the association between the client device and the AP also includes a unicast session key. Since the MAC address of the client device is unique, the MAC address association and unicast session keys are unique based on the client device and the AP. This key creates independent logical ports for terminals in each wireless partition on the AP. After the logical port is established, the AP can use 802.1x authentication to user terminals belonging to independent logical ports. Authentication solutions such as EAP-TLS and EAP-TTLS can also solve the security problems caused by the use of static WEP in wireless LANs. Using EAP-TLS and EAP-TILLS, users can dynamically generate new WEP keys on each connection. Moreover, during the user connection, new keys can be dynamically generated at certain intervals. In an actual network environment, the security defects caused by WEP static allocation keys can be compensated by accelerating the WEP key redistribution cycle.
2.3 Security analysis of 802.1x certification
IEEE 802.1x, like PPP, uses the EAP protocol as the authentication information interaction mechanism, and EAP messages are encapsulated in EAPoL packets. As an authentication message bearer mechanism, EAP can allow a flexible solution between the authenticator and the requester to authenticate, and has good compatibility with more advanced and reasonable authentication technologies that will emerge in the future. These features of EAP are mainly implemented by extending the "EAP type" domain defined by the manufacturer in EAP. The authentication types defined in the "EAP type" domain can meet the security needs of different levels of authentication. Currently, EAP types that can be used include EAP-MD5, EAP-TLS, EAP-TFLS, PEAP and LEAP.
The EAP-MD5 method is to provide simple centralized user authentication through the RADIUS server. Its server does not require certificates or other security information in the wireless workstation. When the user registers, the server only checks the user name and password. If it matches, it will notify the client to access the network service. Since EAP-MD5 only provides authentication, for security reasons, it should be used in combination with the standard 802.11 security protocol WEP/WEP2, and encryption is achieved using a 40-bit/128-bit shared key. This is a one-way authentication mechanism that can only ensure client-to-server authentication, and does not guarantee server-to-client authentication.
The EAP-TLS method provides a certificate-based two-way authentication. In addition to the session number (Session ID) assigned between the host and the server at the time of connection establishment, it requires a pre-issued authentication certificate on the client and server side through a secure connection. EAP-TLS provides both authentication and dynamic session key distribution. The RA-DIUS server needs to support EAP-TLS authentication and authentication certificate management capabilities. TLS supports two-way authentication, that is, network (EAP-TLS server) authenticates end users (Client), and end users authenticates network. Only after the two-way authentication is passed, the server sends an EAP-Success message to the access authentication point, instructing the user terminal to send and receive data flows. This message also triggers encryption of the data stream, and the terminal does not send data until the encryption key is established.
EAP-TTLS is a traditional authentication mechanism that allows the traditional username and password based authentication mechanism, similar to the authentication mechanism that works in collaboration with CHAP (Challenge Handshake Authentication Protocol), PAP, One Time Password and EAP authentication. The client uses the digital certificate provided by the TTLS server to authenticate the network side. This process is a simulation of the secure web server method. Once the authentication tunnel is established, authentication of the secure end user begins. EAP-TTLS can ensure consistency of end users in wireless access media and prevent anonymous users from illegally using the network. Like EAP-TLS, the server sends an EAP-Success message to the access authentication point only after the two-way authentication is passed, indicating that the user terminal can send and receive data flow. This message also triggers encryption of the data stream, and the terminal does not send data until the encryption key is established.
2.4 Advantages of 802.1x certification
Combining the technical characteristics of IEEE 802.1x, it has the following advantages:
(1) Concise and efficient. The pure Ethernet technology core maintains the connectionless feature of IP networks and does not require multi-layer encapsulation between protocols. It eliminates unnecessary overhead and redundant and expensive multi-service gateway equipment, eliminates network authentication billing bottlenecks and single point of failure, and is easy to support multi-service and emerging streaming services.
(2) Easy to achieve. It can be implemented on ordinary L3, L2, and IP DSLAM. The comprehensive network construction cost is low, and the traditional AAA certified network architecture can be retained, and existing RADIUS devices can be used.
(3) Safe and reliable. Implement user authentication on a layer 2 network, combining MAC, port, account, VLAN and password, binding technology has high security. In the wireless LAN network environment, 802.1x combined with EAP-TLS and EAP-TTLS can realize dynamic allocation of WEP certificate keys and overcome security vulnerabilities in wireless LAN access.
(4) Industry standards. The IEEE standard and the Ethernet standard are the same, and can achieve seamless integration with Ethernet technology. Almost all the equipment of mainstream data device manufacturers (including routers, switches, wireless APs, etc.) provide support for this protocol. In terms of client side, both Linux and Microsoft's Windows XP operating systems have supported this protocol.
(5) Flexible application. The granularity of authentication can be flexibly controlled, used to authenticate a single user connection, user ID or access equipment. The authentication levels can be flexibly combined to meet the needs of specific access technologies or services.
(6) Easy to operate. The control flow and business flow are completely separated, making it easy to achieve cross-platform multi-service operations. A small number of single-charge networks such as traditional monthly packages can be upgraded to an operation-level network, and the operating costs of the network are also expected to be reduced.
3. Application suggestions for 802.1x in telecommunications-grade IP broadband networks
The overall architecture of 802.1x authentication in telecommunications-grade broadband networks is shown in Figure 2. According to the previous analysis of the technical characteristics and technical advantages of 802.1x, the author believes that the following five principles should be followed for the application of 802.1x in telecommunications-grade networks.
3.1 Using WLAN as the breakthrough port
The application of 802.1x certification technology in telecommunications-grade broadband networks should be based on WLAN as a breakthrough. 802.1x technology has conducted a lot of research and exploration on technologies that provide certification based on WLAN from the beginning. The time period of WLAN equipment is used in large quantities and the 802.1x protocol standard is basically synchronized. At present, WLAN AP devices of most manufacturers can support 802.1x certification; from a technical perspective, WLAN is a shared Ethernet access network, and the security problems and user control it faces are more difficult to solve than wired Ethernet access. As a new application on broadband networks, WLAN has no historical burden and is not restricted by existing network conditions when network reduction and device selection. The above reasons determine that WLAN is the vanguard of the application of 802.1x technology.
3.2. Verification marginalization and distribution
Authentication marginalization fully utilizes the advantages of 802.1x port-based authentication. The so-called authentication marginalization refers to setting the location of the authentication device in the network to directly interface with the user equipment/network. The marginalized authentication device can sense and monitor the link connection status between the authentication device and the user equipment. According to the changes in the link status, the authentication device can adopt corresponding strategies and actively require the user/equipment to initiate authentication. The ability to perceive link status is also the basis for the operator to conduct network fault detection and network operation and maintenance smoothly. It can be said that the marginalization of authentication has solved the problem of line maintenance and fault diagnosis in broadband access networks. Users can achieve isolation in the local access network segment, and do not need to be isolated from the second layer of the network between the user and the access authentication server, which reduces the complexity of the switch running VLANs and makes it easier to plan, manage and control network traffic. The marginalization of authentication means the distribution of authentication devices, which can avoid the network performance and network reliability bottlenecks brought about by centralized PPPoE authentication.
3.3 Centralized user management
Although 802.1x uses distributed authentication, it is recommended to use a centralized approach when managing users. The scope of centralized user management includes wired access users and wireless access users. On the one hand, centralized authentication is easy to manage and maintain, ensuring the consistency of user information within a single management domain; on the other hand, centralized and unified user management provides prerequisites for roaming between user accounts with different access means, and users face a unified interface when switching between different networks or access types. Centralized user management is also adopted in PPPoE authentication. By upgrading the existing RADIUS equipment, 802.1x can completely inherit the PPPoE authentication system, avoiding large-scale adjustments to the network structure, and making the project easy to implement.
3.4 Multi-service access, taking into account the characteristics of network technology
802.1x is an integral part of the IEEE Ethernet protocol family, and its application scope covers pure Ethernet or multi-service access methods such as WLAN, xDSL, Class 5 lines, Cable and EPON. Taking xDSL technology as an example, on the one hand, pure Ethernet xDSL access means such as EoVDSL have emerged. On the other hand, in the ATM-based xDSL technology, the emergence of IP DSLAM and its three-layer routing function requirements make 802.1x the best choice to meet the needs. It is worth noting that switched Ethernet and shared Ethernet have different technical characteristics, and they must be taken into account when applying 802.1x.
3.5 Gradually replace PPPoE
802.1x technology represents the trend of telecommunications-grade broadband network development, namely, authentication and service separation, and supports multiple services. The flaws of PPPoE are destined to be the transitional role. In fact, PPPoE was also used as a stopgap measure to broadband network access authentication, but 802.1x replaced PPPoE was a gradual process. The current network situation is a problem we have to consider. The most important problem is that the corridor switch functions are simple and does not support 802.1x. To solve this problem, you can consider the following methods: First, software upgrade of the corridor switch to support 802.1x; Second, improve the 802.1x protocol so that EAP can be carried on VLAN, 802.1x authentication is performed on the aggregation layer switch, and downstream layer 2 switches use VLAN for user isolation. Ultimately, authentication marginalization requires user-oriented access devices, which can directly implement management and control of user access.
4 Conclusion
With the increasing application scope of Ethernet technology in broadband networks, various services based on Ethernet technology have emerged and become the main body of broadband network services. In the field of broadband access, pure Ethernet or Ethernet-related access technologies have become a major trend in the development of access networks. As an integral part of the IEEE protocol family, 802.1x technology provides an access control method based on port, authentication and service separation, high flexibility and strong adaptability in the Ethernet network environment. Compared with the PPPoE solution widely used at this stage, 802.1x not only has good compatibility with Ethernet technology, but also has excellent multi-service support capabilities and diversified statistical billing capabilities. However, at this stage, 802.1x still has some shortcomings in the application of 802.1x to telecom broadband networks, but as it continues to improve and mature, the 802.1x protocol will become an indispensable part of telecom broadband networks.