Eap over radius, Eap-message, Message-authenticator – H3C Technologies H3C WX6000 Series Access Controllers User Manual

35-5

Figure 35-5 Format of the Data field in an EAP request/response packet

Identifier: Helps match responses with requests.

Length: Length of the EAP packet, including the Code, Identifier, Length, and Data fields, in bytes.

Data: Content of the EAP packet. Its format is determined by the Code field.

EAP over RADIUS

Two attributes of RADIUS are intended for supporting EAP authentication: EAP-Message and

Message-Authenticator. For information about RADIUS packet format, refer to

MAC Address

Configuration

.

EAP-Message

The EAP-Message attribute is used to encapsulate EAP packets.

Figure 35-6

shows its encapsulation

format. The value of the Type field is 79. The String field can be up to 253 bytes long. If the EAP packet

is longer than 253 bytes, it can be fragmented and encapsulated into multiple EAP-Message attributes.

Figure 35-6 Encapsulation format of the EAP-Message attribute

0

15

Type

String

7

Length

N

EAP packets

Message-Authenticator

Figure 35-7

shows the encapsulation format of the Message-Authenticator attribute. The

Message-Authenticator attribute is used to prevent access requests from being snooped during EAP or

CHAP authentication. It must be included in any packet with the EAP-Message attribute; otherwise, the

packet will be considered invalid and discarded.

Figure 35-7 Encapsulation format of the Message-Authenticator attribute

802.1X Authentication Triggering

802.1X authentication can be initiated by either a client or the device.

Unsolicited triggering of a client

A client can initiate authentication unsolicitedly by sending an EAPOL-Start packet to the device. The

destination address of the packet is 01-80-C2-00-00-03, the multicast address specified by the IEEE

802.1X protocol.