802.1x is a standard for network authentication - whether a given device should be allowed access to the network (whether WiFi or wired).
Here's an overview of how it works with FAUCET.
- A host, connected to the Ethernet switch, sends 802.1x authentication request packets to the switch. The switch passes them on to the controller/NFV's offload port.
- A process, hostapd receives these packets and facilitates an authentication conversation with a RADIUS server (see here for an extremely detailed explanation).
- Whether successful or unsuccessful, hostapd notifies another process on the same host, hostapd_cli.
- A script, hostapd_trigger.py (see below) monitors hostapd_cli, and the FAUCET controller's log file. It correlates the MAC address of the host with the port the host is connected to on the switch, and then initiates the desired action (for example, opening a firewall port so the host can access the Internet - if successfully authenticated).
This implementation is a proof of concept of implementing the authentication entirely within the dataplane. The FAUCET controller does not participate or understand the 802.1x exchange and does not need to. Other services, like DNS and DHCP could also be run on the same host, in the same way. The trigger script can perform any action, including, modifying the FAUCET config file itself and HUPing the controller (for example, to add or remove an OpenFlow ACL to the host's port to authorize it to access the network).
For a more advanced solution including an administrative GUI, a system like PacketFence could be integrated. For example, PacketFence could also change FAUCET's config to put a problematic host in a quarantine VLAN.
There are some features being added to FAUCET to support better integration. For example, this proof of concept uses the FAUCET log file, but FAUCET will expose what it knows programmatically (specifically, what MAC addresses have been learned on what ports). There are also features to force all 802.1x, etc traffic to the offload port only, and more efficiently add or remove an ACL/VLAN from a port when requested.
hostapd takes a minimal configuration file, instructing it to listen on a port, communicate with a RADIUS server, and notify an external process of events: