我们看下别人的验证分析:
1.当用户有上网需求时打开802.1X客户端程序,输入用户名和口令,发起连接请求。此时客户端程序将发出
请求认证 的报文给交换机,启动一次认证过程。
如下:
Frame 90 (64 bytes on wire, 64 bytes captured)
Arrival Time: Nov 27, 2006 16:27:33.446030000
Time delta from previous packet: 3.105345000 seconds
Time since reference or first frame: 5.082965000 seconds
Frame Number: 90
Packet Length: 64 bytes
Capture Length: 64 bytes
Ethernet II, Src: 00:e0:4c:d7:65:cd, Dst: 01:80:c2:00:00:03
Destination: 01:80:c2:00:00:03 (Spanning-tree-(for-bridges)_03)
Source: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Type: 802.1X Authentication (0x888e)
Trailer: A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5...
Frame check sequence: 0xa5a5a5a5 (incorrect, should be 0xcc6d5b40)
802.1x Authentication
Version: 1
Type: Start (1)
Length: 0
2.交换机在收到请求认证的数据帧后,将发出一个EAP-Request/Identitybaowe请求帧要求客户端程序发送用户输入的用户名 。
Frame 91 (64 bytes on wire, 64 bytes captured)
Arrival Time: Nov 27, 2006 16:27:33.447236000
Time delta from previous packet: 0.001206000 seconds
Time since reference or first frame: 5.084171000 seconds
Frame Number: 91
Packet Length: 64 bytes
Capture Length: 64 bytes
Ethernet II, Src: 00:03:0f:01:3a:5a, Dst: 00:e0:4c:d7:65:cd
Destination: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Source: 00:03:0f:01:3a:5a (DigitalC_01:3a:5a)
Type: 802.1X Authentication (0x888e)
Trailer: A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5...
Frame check sequence: 0xa5a5a5a5 (incorrect, should be 0x7d263869)
802.1x Authentication
Version: 1
Type: EAP Packet (0)
Length: 5
Extensible Authentication Protocol
Code: Request (1)
Id: 1
Length: 5
Type: Identity [RFC3748] (1)
3.客户端程序响应交换机的请求,将包含用户名 信息的一个EAP-Response/Identity送给交换机,交换机将客户端送来的数据帧经过封包处理后生成RADIUS Access-Request报文送给认证服务器进行处理。
Frame 148 (77 bytes on wire, 77 bytes captured)
Arrival Time: Nov 27, 2006 16:27:36.446199000
Time delta from previous packet: 2.998963000 seconds
Time since reference or first frame: 8.083134000 seconds
Frame Number: 148
Packet Length: 77 bytes
Capture Length: 77 bytes
Ethernet II, Src: 00:e0:4c:d7:65:cd, Dst: 01:80:c2:00:00:03
Destination: 01:80:c2:00:00:03 (Spanning-tree-(for-bridges)_03)
Source: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Type: 802.1X Authentication (0x888e)
802.1x Authentication
Version: 1
Type: EAP Packet (0)
Length: 59
Extensible Authentication Protocol
Code: Response (2)
Id: 1
Length: 13
Type: Identity [RFC3748] (1)
Identity (8 bytes): 03051020
4.认证服务器收到交换机转发上来的用户名信息后,将该信息与数据库中的用户名表相比对,找到该用户名对应的口令信息,用随机生成的一个加密字Challenge 对它进行加密处理(MD5),通过接入设备将RADIUS Access-Challenge报文发送给客户端,其中包含有EAP-Request/MD5-Challenge。
Frame 154 (64 bytes on wire, 64 bytes captured)
Arrival Time: Nov 27, 2006 16:27:36.567003000
Time delta from previous packet: 0.120804000 seconds
Time since reference or first frame: 8.203938000 seconds
Frame Number: 154
Packet Length: 64 bytes
Capture Length: 64 bytes
Ethernet II, Src: 00:03:0f:01:3a:5a, Dst: 00:e0:4c:d7:65:cd
Destination: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Source: 00:03:0f:01:3a:5a (DigitalC_01:3a:5a)
Type: 802.1X Authentication (0x888e)
Trailer: A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5...
Frame check sequence: 0xa5a5a5a5 (incorrect, should be 0x4ec1ac73)
802.1x Authentication
Version: 1
Type: EAP Packet (0)
Length: 22
Extensible Authentication Protocol
Code: Request (1)
Id: 2
Length: 22
Type: MD5-Challenge [RFC3748] (4)
Value-Size: 16
Value: 1CBFEE2149E38D2928DABB4772D285EB
5.客户端收到EAP-Request/MD5-Challenge报文后,用该加密字对口令部分进行加密处理 (MD5)给交换机发送在EAP-Response/MD5-Challenge回应,交换机将Challenge,Challenged Password和用户名一起送到RADIUS 服务器 进行认证。
Frame 199 (94 bytes on wire, 94 bytes captured)
Arrival Time: Nov 27, 2006 16:27:39.446161000
Time delta from previous packet: 2.879158000 seconds
Time since reference or first frame: 11.083096000 seconds
Frame Number: 199
Packet Length: 94 bytes
Capture Length: 94 bytes
Ethernet II, Src: 00:e0:4c:d7:65:cd, Dst: 01:80:c2:00:00:03
Destination: 01:80:c2:00:00:03 (Spanning-tree-(for-bridges)_03)
Source: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Type: 802.1X Authentication (0x888e)
802.1x Authentication
Version: 1
Type: EAP Packet (0)
Length: 76
Extensible Authentication Protocol
Code: Response (2)
Id: 2
Length: 30
Type: MD5-Challenge [RFC3748] (4)
Value-Size: 16
Value: CBAC378ABB609123D2BB412840AEC614
Extra data (8 bytes): 3033303531303230
6.认证服务器将送上来的加密后的口令信息 和其自己经过加密运算后的口令信息 进行对比,判断用户是否合法,然后回应认证成功/失败报文 到接入设备。如果认证成功,则向交换机发出打开端口 的指令,允许用户的业务流通过端口访问网络。否则,保持交换机端口的关闭状态,只允许 认证信息数据通过。
Frame 205 (243 bytes on wire, 243 bytes captured)
Arrival Time: Nov 27, 2006 16:27:39.632706000
Time delta from previous packet: 0.186545000 seconds
Time since reference or first frame: 11.269641000 seconds
Frame Number: 205
Packet Length: 243 bytes
Capture Length: 243 bytes
Ethernet II, Src: 00:03:0f:01:3a:5a, Dst: 00:e0:4c:d7:65:cd
Destination: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Source: 00:03:0f:01:3a:5a (DigitalC_01:3a:5a)
Type: 802.1X Authentication (0x888e)
802.1x Authentication
Version: 1
Type: EAP Packet (0)
Length: 225
Extensible Authentication Protocol
Code: Success (3)
Id: 0
Length: 4
如下:
Frame 90 (64 bytes on wire, 64 bytes captured)
Arrival Time: Nov 27, 2006 16:27:33.446030000
Time delta from previous packet: 3.105345000 seconds
Time since reference or first frame: 5.082965000 seconds
Frame Number: 90
Packet Length: 64 bytes
Capture Length: 64 bytes
Ethernet II, Src: 00:e0:4c:d7:65:cd, Dst: 01:80:c2:00:00:03
Destination: 01:80:c2:00:00:03 (Spanning-tree-(for-bridges)_03)
Source: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Type: 802.1X Authentication (0x888e)
Trailer: A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5...
Frame check sequence: 0xa5a5a5a5 (incorrect, should be 0xcc6d5b40)
802.1x Authentication
Version: 1
Type: Start (1)
Length: 0
2.交换机在收到请求认证的数据帧后,将发出一个EAP-Request/Identitybaowe请求帧要求客户端程序发送用户输入的用户名 。
Frame 91 (64 bytes on wire, 64 bytes captured)
Arrival Time: Nov 27, 2006 16:27:33.447236000
Time delta from previous packet: 0.001206000 seconds
Time since reference or first frame: 5.084171000 seconds
Frame Number: 91
Packet Length: 64 bytes
Capture Length: 64 bytes
Ethernet II, Src: 00:03:0f:01:3a:5a, Dst: 00:e0:4c:d7:65:cd
Destination: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Source: 00:03:0f:01:3a:5a (DigitalC_01:3a:5a)
Type: 802.1X Authentication (0x888e)
Trailer: A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5...
Frame check sequence: 0xa5a5a5a5 (incorrect, should be 0x7d263869)
802.1x Authentication
Version: 1
Type: EAP Packet (0)
Length: 5
Extensible Authentication Protocol
Code: Request (1)
Id: 1
Length: 5
Type: Identity [RFC3748] (1)
3.客户端程序响应交换机的请求,将包含用户名 信息的一个EAP-Response/Identity送给交换机,交换机将客户端送来的数据帧经过封包处理后生成RADIUS Access-Request报文送给认证服务器进行处理。
Frame 148 (77 bytes on wire, 77 bytes captured)
Arrival Time: Nov 27, 2006 16:27:36.446199000
Time delta from previous packet: 2.998963000 seconds
Time since reference or first frame: 8.083134000 seconds
Frame Number: 148
Packet Length: 77 bytes
Capture Length: 77 bytes
Ethernet II, Src: 00:e0:4c:d7:65:cd, Dst: 01:80:c2:00:00:03
Destination: 01:80:c2:00:00:03 (Spanning-tree-(for-bridges)_03)
Source: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Type: 802.1X Authentication (0x888e)
802.1x Authentication
Version: 1
Type: EAP Packet (0)
Length: 59
Extensible Authentication Protocol
Code: Response (2)
Id: 1
Length: 13
Type: Identity [RFC3748] (1)
Identity (8 bytes): 03051020
4.认证服务器收到交换机转发上来的用户名信息后,将该信息与数据库中的用户名表相比对,找到该用户名对应的口令信息,用随机生成的一个加密字Challenge 对它进行加密处理(MD5),通过接入设备将RADIUS Access-Challenge报文发送给客户端,其中包含有EAP-Request/MD5-Challenge。
Frame 154 (64 bytes on wire, 64 bytes captured)
Arrival Time: Nov 27, 2006 16:27:36.567003000
Time delta from previous packet: 0.120804000 seconds
Time since reference or first frame: 8.203938000 seconds
Frame Number: 154
Packet Length: 64 bytes
Capture Length: 64 bytes
Ethernet II, Src: 00:03:0f:01:3a:5a, Dst: 00:e0:4c:d7:65:cd
Destination: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Source: 00:03:0f:01:3a:5a (DigitalC_01:3a:5a)
Type: 802.1X Authentication (0x888e)
Trailer: A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5...
Frame check sequence: 0xa5a5a5a5 (incorrect, should be 0x4ec1ac73)
802.1x Authentication
Version: 1
Type: EAP Packet (0)
Length: 22
Extensible Authentication Protocol
Code: Request (1)
Id: 2
Length: 22
Type: MD5-Challenge [RFC3748] (4)
Value-Size: 16
Value: 1CBFEE2149E38D2928DABB4772D285EB
5.客户端收到EAP-Request/MD5-Challenge报文后,用该加密字对口令部分进行加密处理 (MD5)给交换机发送在EAP-Response/MD5-Challenge回应,交换机将Challenge,Challenged Password和用户名一起送到RADIUS 服务器 进行认证。
Frame 199 (94 bytes on wire, 94 bytes captured)
Arrival Time: Nov 27, 2006 16:27:39.446161000
Time delta from previous packet: 2.879158000 seconds
Time since reference or first frame: 11.083096000 seconds
Frame Number: 199
Packet Length: 94 bytes
Capture Length: 94 bytes
Ethernet II, Src: 00:e0:4c:d7:65:cd, Dst: 01:80:c2:00:00:03
Destination: 01:80:c2:00:00:03 (Spanning-tree-(for-bridges)_03)
Source: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Type: 802.1X Authentication (0x888e)
802.1x Authentication
Version: 1
Type: EAP Packet (0)
Length: 76
Extensible Authentication Protocol
Code: Response (2)
Id: 2
Length: 30
Type: MD5-Challenge [RFC3748] (4)
Value-Size: 16
Value: CBAC378ABB609123D2BB412840AEC614
Extra data (8 bytes): 3033303531303230
6.认证服务器将送上来的加密后的口令信息 和其自己经过加密运算后的口令信息 进行对比,判断用户是否合法,然后回应认证成功/失败报文 到接入设备。如果认证成功,则向交换机发出打开端口 的指令,允许用户的业务流通过端口访问网络。否则,保持交换机端口的关闭状态,只允许 认证信息数据通过。
Frame 205 (243 bytes on wire, 243 bytes captured)
Arrival Time: Nov 27, 2006 16:27:39.632706000
Time delta from previous packet: 0.186545000 seconds
Time since reference or first frame: 11.269641000 seconds
Frame Number: 205
Packet Length: 243 bytes
Capture Length: 243 bytes
Ethernet II, Src: 00:03:0f:01:3a:5a, Dst: 00:e0:4c:d7:65:cd
Destination: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Source: 00:03:0f:01:3a:5a (DigitalC_01:3a:5a)
Type: 802.1X Authentication (0x888e)
802.1x Authentication
Version: 1
Type: EAP Packet (0)
Length: 225
Extensible Authentication Protocol
Code: Success (3)
Id: 0
Length: 4