Eap termination – H3C Technologies H3C S12500-X Series Switches User Manual

68

9.

The authentication server compares the received encrypted password with the one it generated at

step 5. If the two are identical, the authentication server considers the client valid and sends a
RADIUS Access-Accept packet to the network access device.

10.

Upon receiving the RADIUS Access-Accept packet, the network access device sends an
EAP-Success packet to the client, and sets the controlled port in the authorized state so the client

can access the network.

11.

After the client comes online, the network access device periodically sends handshake requests to
check whether the client is still online. By default, if two consecutive handshake attempts fail, the

device logs off the client.

12.

Upon receiving a handshake request, the client returns a response. If the client fails to return a
response after a certain number of consecutive handshake attempts (two by default), the network

access device logs off the client. This handshake mechanism enables timely release of the network

resources used by 802.1X users that have abnormally gone offline.

13.

The client can also send an EAPOL-Logoff packet to ask the network access device for a logoff.

14.

In response to the EAPOL-Logoff packet, the network access device changes the status of the
controlled port from authorized to unauthorized and sends an EAP-Failure packet to the client.

193B

EAP termination

759H

Figure 30

shows the basic 802.1X authentication procedure in EAP termination mode, assuming that

CHAP authentication is used.