H3C Technologies H3C S5120 Series Switches User Manual
Page 385
1-7
Figure 1-8 802.1X authentication procedure in EAP relay mode
EAPOL
EAPOR
EAPOL-Start
EAP-Request / Identity
EAP-Response / Identity
EAP-Request / MD5 challenge
EAP-Success
EAP-Response / MD5 challenge
RADIUS Access-Request
(EAP-Response / Identity)
RADIUS Access-Challenge
(EAP-Request / MD5 challenge)
RADIUS Access-Accept
(EAP-Success)
RADIUS Access-Request
(EAP-Response / MD5 challenge)
Handshake request
[ EAP-Request / Identity ]
Handshake response
[ EAP-Response / Identity ]
EAPOL-Logoff
......
Client
Device
Server
Port authorized
Handshake timer
Port unauthorized
1) When a user launches the 802.1X client software and enters the registered username and
password, the 802.1X client software generates an EAPOL-Start packet and sends it to the device
to initiate an authentication process.
2) Upon receiving the EAPOL-Start packet, the device responds with an EAP-Request/Identity packet
for the username of the client.
3) When the client receives the EAP-Request/Identity packet, it encapsulates the username in an
EAP-Response/Identity packet and sends the packet to the device.
4) Upon receiving the EAP-Response/Identity packet, the device relays the packet in a RADIUS
Access-Request packet to the authentication server.
5) When receiving the RADIUS Access-Request packet, the RADIUS server compares the identify
information against its user information database to obtain the corresponding password
information. Then, it encrypts the password information using a randomly generated challenge,
and sends the challenge information through a RADIUS Access-Challenge packet to the device.
6) After receiving the RADIUS Access-Challenge packet, the device relays the contained
EAP-Request/MD5 Challenge packet to the client.
7) When receiving the EAP-Request/MD5 Challenge packet, the client uses the offered challenge to
encrypt the password part (this process is not reversible), creates an EAP-Response/MD5
Challenge packet, and then sends the packet to the device.