Eap terminating mode – H3C Technologies H3C WX3000 Series Unified Switches User Manual
Page 224
23-7
z
A supplicant launches an 802.1x client, and then provides the valid user name and password on
the 802.1x client to initiate a connection request. In this case, the 802.1x client program sends the
connection request (the EAPoL-start packet) to the device to start the authentication process.
z
Upon receiving the authentication request packet, the device sends an EAP-request/identity
packet to ask the 802.1x client for the user name.
z
The 802.1x client responds by sending an EAP-response/identity packet to the device with the user
name contained in it. The device then encapsulates the packet in a RADIUS Access-Request
packet and forwards it to the RADIUS server.
z
Upon receiving the packet from the device, the RADIUS server retrieves the user name from the
packet, finds the corresponding password by matching the user name in its database, encrypts the
password using a randomly-generated key, and sends the key to the device through an RADIUS
access-challenge packet. The device then sends the key to the 802.1x client.
z
Upon receiving the key (encapsulated in an EAP-request/MD5 challenge packet) from the device,
the client program encrypts the password of the supplicant system with the key and sends the
encrypted password (contained in an EAP-response/MD5 challenge packet) to the RADIUS server
through the device. (Normally, the encryption is irreversible.)
z
The RADIUS server compares the received encrypted password (contained in a RADIUS
access-request packet) with the locally-encrypted password. If the two match, it will then send
feedbacks (through a RADIUS access-accept packet and an EAP-success packet) to the device to
indicate that the supplicant is authenticated.
z
The device changes the state of the corresponding port to accepted state to allow the supplicant to
access the network.
z
The supplicant can also terminate the authenticated state by sending EAPoL-Logoff packets to the
device. The device then changes the port state from accepted to rejected.
When you configure your device to work in EAP relay mode, you do not need to configure the
authentication method to be used. The device and the RADIUS server will negotiate one. The
negotiation is initiated by the RADIUS server. Different RADIUS servers support different authentication
methods and the order of PEAP, EAP-TLS, EAP-TTLS, and EAP-MD5 in the negotiation may vary.
EAP terminating mode
In this mode, EAP packet transmission is terminated at authenticator systems and the EAP packets are
converted to RADIUS packets. Authentication and accounting are carried out through RADIUS
protocol.
In this mode, PAP or CHAP is employed between the device and the RADIUS server.
illustrates the authentication procedure (assuming that CHAP is employed between the device and the
RADIUS server).