8021协议认证过程.docx
10页
802.1X协议的认证过程具体认证过程如下:1. 认证客户端启动后每隔2分钟会向整个网络发起一次Start认证请求报文,认证请求 报文的源地址是客户端的MAC地址,目的地址是组播地址(01-80-C2-00-00-03),认 证开始时认证客户端发起认证开始包(EAPOL Start报文)TimeSource-Dc&tin£i:iq^i" "P「ot口col Length 1口1 口 -L 0.00-0000Nearest EAPOL 15 Starr |2 0・ OD17Z73 9-B751314 ^.ae720i5 9-8877M6 爭・ B 944 817 9-£&5378S 9 .^i Q41S59 ^.^0462010 9・91503511 9・ M6320c1sco_5f;de:G5 ■rfi stron_0diG1z d8 Cii scQ_Sf :de:OS Wi st r oin_0d: 01: d8 dsco_5»f :de:D5 w1sTron_0d:Ql:d8 ci sca_5f:de:Q5 wi stron_0d:01:d8Clsco.Sif :de:05 x1 st r oin_0d: Qi: d8NearestNearestEAPNearestEAPNearestEAPNearestLAPTL5V1NearestTLSV1NearestEAPNearestTLSV1NearestLAP一「巧二常Q e i ideot i iy23 R.espDnse.i identity60 Request, MD5-Chal1enge EAP (EAP-MD5一匚HALLEWGE)24 Response, Legacy Hak (Response Only36D , pitotecred lap (£ap-plap)125 cTIgitc HelIIo1042 Server Helllo?匚ertificate? Server He!To Done24 Response, Protected EAP (EAP-PEAP)1039 seryHellor 匸r1f1cateP Server Hel1o Done24 Response.,卩『otecred eajp (lap-reap)E Frame 1: 19 bytes- on Cl52 bit3)_BJlSLJhytiea^CHptyred (152 bits) 一—一 一〜r+ Eiherriset 11, src:: hl strQn_Dd:: 01: dec:ff: 35:od: Qis d§2' n £st: Nearesf ^oi: 80: cz: oo: qo : 03' -B D2. lx Auihe ni 1 catrl onVer si ojgi^ M^XK-2001 ⑴Type ?'_Star t [1 pLengthT~uE V5 5-Kon1 Loring er heir m 兀 trailer , source popl: 02. 当认证交换机收到Start认证开始包后,将向入网认证客户端发出一个认证请求包E 802 ・1玄 Autherutl 匚 at "i on(EAP Request/Identify报文)。
报文的源地址是交换机的MAC地址,目的地址是组播 地址(01-80-C2-00-00-03)如果网络中没有认证交换机或没有开启认证,则认证客户 端不会收到认证请求包(EAP Request/Identify报文)No.TimeSourceDesti nationP『口 EdcdILength[nfo1Q・000000^ri str on_od: 01 :dsNearestEAPOLSt 3.FT20.001727C “匚 D_5f :de::D5NcaresrEAP60d€quQStn Identity39.675131w1sLron_0d:0l:dB电£兀EAP2:Sn-esponsgi idenrlry,1 ■4-9.ES72D1Cist[?_5-f : de; 05NearestEAP60Request4 MD5-Chal1enge EAP (£AP-MD5-CHALLENGE)9.EB7734Wi stroruOdiOlzdBNearestEAP24RespDnse, Legacy Nak ^Response Only)6Ci sco_5f■: de! OSNearestEAP60Request, Protected EAP (EAP-PEAP)79・S95370irth sr r oflOc! : 01 :dsNearestTL 5V1125-cl 1 ent HelloS9.^04185ciGco_5^f 2 de:05兀TL5V11Q42:s-eruer HellloB cerdf 1 care, server hqTTo□onen.9-90J62Dwisrron_ockoi:dEnq由电5兀EAP24Piro-iecred eap (eap-peap)ID9agi5S85CiEto-_5f :de:05NearestTL 5 Vl1Q3SServer Helllo^ Certi f i cate t Server Hel 10DoripeE Ethernet IT ? Si■匚:Cisco_Sf:de: [?c: 69 _f6: 5f: dez 05^- Dst: Nearestz'/(01:fiD: c2 :00:00:03^'E Frame 2:百0 bytes on 讪『启(dBQ bi - byt-er-E-apjyired (4SQ bits)Type; eap packet Co)Length; 5version: so?, ix-2010 CWB Extensi blfi^Asi^-hiejatJ cati ocii Protocol Code Reque stId: 1Length: 5Type: idenrlcy Cl)Identi ty:3•客户端程序响应交换机发出的请求,将用户名信息通过认证回应包(EAPResponse/Identity报文)送给交换机。
报文的源地址是客户端MAC地址,目的地址是 组播地址(01-80-C2-00-00-03)No. TimaSourceCBStinaionProtocol Lmrigth Info1 O-OTGOOOWi st ron_0d : 0-1; d 8NearestSPOIL Start2 O. QDIZZ?Ci scc^Sf :de:CSNearestEAR 60 Request,identity3 9. B75131Wi,t「on_0cl;01;cWNearestEAR 28 Response,Identity j057201BB7734 B 94481H9537S904185904620915885Ci SCO—5f: de :O5st r on_0d ; 0-1: d S cis co_5f;Te:05 Wistran_Od:Ol:d0 Cisco_5f:de:05 wi st r oin_od: o 1: d 0 CfSM_5f Ldfeio-SNearest Nearest Nearest Nearest Nea「EEt Nearest NearestEAR LAP EAR TLSvl TLSV1EARTL5V160 Request! MOS-chainenge eajp〔eap-mmyhajllEHIS24 Res parish P L^ga 匚 y N2lk only)60 Request, Protected EAP (EAP-PEAP)125 client Hello042 Server Hello, Certificate, Server Helllo Oone 24 Response, Pr orected EAR Ceap-peap)Q3S server heTIo. cerTifRicei. server Hello DoneEi Fr^m® 3: 2B byres on wire £224 blrsK jLBU^tes^capxjJred (224 bits) 才_一— —〜E Ethernet IT s 5rc: Wi stron_Qd ; 01: ^5c:ff: 3 S: Od: 01:dB).^ Dst: Neares^^M.: 80 ; c2 ; 00 z 00: 0^)-'B B02.15£ 血ithe nt i cat i 口们 —~'―" *―Version: B02,1X-2001 (1)Type: EAF Packet (0) Lengih: 10.Type: id e nc1ry (1) PdeplLpty; 1[sh[hL —4•交换机将认证客户端发过来的普通Response报文经过封装后,转换为普通的数据包 (RADIUS Access-Request 报文)发送给 RADIUS 服务器进行处理。
报文的源地址是交 换机的地址,目的地址是 RADIUS 服务器的地址Nd.Time"LsrttnHtiDn_—-PrcrtDc口 1 Lenglh In Fa1D・ooaooa<192・:L^・0・25Qa
