Unsolicited triggering of the device, Authentication process of 802.1x, Eap relay – H3C Technologies H3C S7500E Series Switches User Manual

Page 96

Advertising
background image

5-6

However, some devices along the path from the client to the authentication device may not

support multicast packets with the above destination address, causing the authentication

device unable to receive the authentication request of the client. To solve the problem, the

device also supports EAPOL-Start packets using the broadcast MAC address as the destination

address. Currently, only the iNode 802.1X client supports EAPOL-Start packets using the

broadcast MAC address as the destination address.

Unsolicited triggering of the device

The device can trigger authentication for clients that cannot send EAPOL-Start packets and

therefore cannot trigger authentication, for example, clients that run the 802.1X client software

provided by Windows XP. The device supports two unsolicited triggering modes:

z

Multicast triggering mode: The device multicasts EAP-Request/Identify packets periodically

(every 30 seconds by default).

Unicast triggering mode: Upon receiving a data frame with the source MAC address not in the

MAC address table, the device deems that a new user is attached to itself and sends a

unicast packet out the port receiving the frame to trigger 802.1X authentication. It

retransmits the packet if no response is received within a configured time interval.

Authentication Process of 802.1X

An 802.1X device communicates with a remotely located RADIUS server in two modes: EAP

relay and EAP termination. The following description takes the EAP relay as an example to

show the 802.1X authentication process.

EAP relay

EAP relay is defined in IEEE 802.1X. In this mode, EAP packets are carried in an upper layer

protocol, such as RADIUS, so that they can go through complex networks and reach the

authentication server. Generally, relaying EAP requires that the RADIUS server support the

EAP attributes of EAP-Message and Message-Authenticator, which are used to encapsulate

EAP packets and protect RADIUS packets carrying the EAP-Message attribute respectively.

Figure 5-7

shows the EAP packet exchange procedure with EAP-MD5.

Advertising
This manual is related to the following products:

H3C S5800 Series Switches, H3C S5120 Series Switches, H3C WA2600 Series WLAN Access Points, H3C WA2200 Series WLAN Access Points

Popular Brands
Popular manuals