Timers used in 802.1x – H3C Technologies H3C S3100 Series Switches User Manual

Page 373

Advertising
background image

1-8

Figure 1-9 802.1x authentication procedure (in EAP terminating mode)

Supplicant

system

PAE

Authenticator

system PAE

RADIUS server

EAPOL

RADIUS

EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request

(CHAP-Response/MD5 Challenge)

RADIUS Access-Accept

(CHAP-Success)

Port

authorized

Handshake timer

Handshake request

[EAP-Request/Identity]

Handshake response

[EAP-Response/Identity]

EAPOL-Logoff

......

Port

unauthorized

The authentication procedure in EAP terminating mode is the same as that in the EAP relay mode

except that the randomly-generated key in the EAP terminating mode is generated by the switch, and

that it is the switch that sends the user name, the randomly-generated key, and the supplicant

system-encrypted password to the RADIUS server for further authentication.

Timers Used in 802.1x

In 802.1 x authentication, the following timers are used to ensure that the supplicant system, the switch,

and the RADIUS server interact in an orderly way.

z

Handshake timer (handshake-period). This timer sets the handshake-period and is triggered after

a supplicant system passes the authentication. It sets the interval for a switch to send handshake

request packets to online users. You can set the number of retries by using the dot1x retry

command. An online user will be considered offline when the switch has not received any response

packets after a certain number of handshake request transmission retries.

z

Quiet-period timer (quiet-period). This timer sets the quiet-period. When a supplicant system fails

to pass the authentication, the switch quiets for the set period (set by the quiet-period timer) before

it processes another authentication request re-initiated by the supplicant system. During this quiet

period, the switch does not perform any 802.1x authentication-related actions for the supplicant

system.

z

Re-authentication timer (reauth-period). The switch will initiate 802.1x re-authentication at the

interval set by the re-authentication timer.

z

RADIUS server timer (server-timeout). This timer sets the server-timeout period. After sending an

authentication request packet to the RADIUS server, the switch sends another authentication

Advertising
Popular Brands
Popular manuals