The authentication technology is the initial step of AAA (authentication, authorization, and accounting). AAA generally includes four steps: user terminal, AAAClient, AAA Server, and accounting software. The communication method between the user terminal and the AAA Client is usually called "authentication mode". The current main technologies are as follows: PPPoE, Web+Portal, and IEEE802.1x. The three methods have their background reasons and technical characteristics. The following three brief analysis of the three main authentication technologies:
1. PPPoE
The Point-to-Point Protocol over Ethernet (PPPo) protocol allows a PPP session to be initiated via a simple Ethernet bridge that connects to the client.
The establishment of PPPoE requires two phases, namely the Discovery stage and the PPP Session Stage. When a host wants to initiate a PPPoE session, it must first complete the search phase to determine the Ethernet MAC address of the peer and establish a PPPoE session number (SESSION_ID).
advantage:
* is an extension of traditional PSTN narrowband dial-up access technology in Ethernet access technology
* Consistent with the original narrowband network user access authentication system
* End users are relatively easy to receive
Disadvantages:
*The PPP protocol and the Ethernet technology are essentially different. The PPP protocol needs to be encapsulated into the Ethernet frame again, so the encapsulation efficiency is very low.
*PPPoE generates a large amount of broadcast traffic during the discovery phase, which has a great impact on network performance.
* Multicast services are difficult to develop, and most of the video services are based on multicast.
* Operators need to provide client terminal software, maintenance workload is too large
*PPPoE authentication generally requires an external BAS. After the authentication is completed, the service data flow must also pass through the BAS device, which is likely to cause a single point bottleneck and failure, and the device is usually very expensive.
2. Web+ Portal
The basic process of portal authentication is that the client first obtains an IP address through the DHCP protocol (it can also use a static IP address), but the client cannot use the obtained IP address to log on to the Internet, and can only access a specific IP before the authentication is passed. Address, which is usually the IP address of the PORTAL server. Portal-certified access devices must have this capability. This can be done by modifying the access control list (ACL) of the access device. At the same time, the user can also input the user name and password on the webpage, which will be transmitted to the Portal Server by the WEB client application, and then the interaction between the Portal Server and the NAS to implement the user authentication. In addition to obtaining the user's username and password, Portal Server also obtains the user's IP address and uses it as an index to identify the user. Then, the Portal Server communicates directly with the NAS using the Portal protocol, and the NAS communicates directly with the RADIUS server to complete the user authentication and online process. Because of security issues, it usually supports strong CHAP-style authentication.
advantage:
* No special client software required, reducing network maintenance workload
*l can provide business authentication such as Portal
Disadvantages:
*WEB is carried on the 7-layer protocol, which has higher requirements for equipment and high network construction cost;
* User connectivity is poor, it is not easy to detect user offline, time-based charging is difficult to achieve;
*Ease of use is not good enough. Before users access the network, whether it is TELNET, FTP or other services, they must use the browser for WEB authentication;
* IP address allocation Before user authentication, if the user is not an Internet user, it will cause a waste of addresses, and it is not convenient for multi-ISP support.
*Business flow and data flow cannot be distinguished before and after authentication
3.802.1x
advantage:
The 802.1x protocol is a Layer 2 protocol. It does not need to reach Layer 3, and the access layer switch does not need to support 802.1q VLANs. The overall performance of the device is not high, which can effectively reduce the network construction cost.
* Implemented by multicast, solves the broadcast problem of other authentication protocols, and has good support for multicast services. The service packet is directly carried on the normal Layer 2 packet. After the user passes the authentication, the service flow and the authentication flow are separated. There is no special requirement for subsequent packet processing.
Disadvantages:
*Requires specific client software
* The problem of the existing corridor switch of the network: Since 802.1x is a relatively new Layer 2 protocol, the corridor switch is required to support the transparent transmission of the authentication packet or complete the authentication process. Therefore, in the process of fully adopting the protocol, there is already on the Internet. User switch upgrade processing problem;
*IP address allocation and network security issues: The 802.1x protocol is a Layer 2 protocol. It is only responsible for the authentication control of the user port. After the port authentication is completed, the user needs to continue to solve the user IP address allocation after entering the Layer 3 IP network. Layer 3 network security and other issues, therefore, the Ethernet switch +802.1x alone, can not fully solve the problems of the operational, manageable and access security of the Ethernet access of the metropolitan area network;
* Billing problem: The 802.1x protocol can charge the time according to the time between the user's authentication and offline, and can not count the traffic. Therefore, traffic-based charging cannot be performed or the user's always-on requirements can be met.
| Authentication method | WEB/PORTAL | PPPOE | 802.1x |
| Standard degree | Manufacturer private | RFC2516 | IEEE standard |
| Package overhead | small | big | small |
| Access control mode | device port | user | user |
| IP address | Pre-authentication assignment | Post-certification assignment | Post-certification assignment |
| Multicast support | good | bad | good |
| Number of VLANs required | many | no | no |
| Support for multiple ISPs | poor | good | good |
| Client software | no need | need | need |
| Device support | Factory privately owned | Industry equipment | Industry equipment |
| User connectivity | bad | good | good |
| Requirements for equipment | High (full VLAN) | high (BAS) | low |
In summary, the outstanding advantages of 802.1 x authentication are simple implementation, high authentication efficiency, and security. No need for multi-service network management equipment, you can ensure that the IP network is not connected. At the same time, the single point of failure of the network authentication charging bottleneck is eliminated. User authentication is implemented on the Layer 2 network, which greatly reduces the network construction cost of the entire network. Currently, 802.1x-based authentication technology is very common in campus network applications.
