Initiating 802.1x authentication, Eap over radius, 1x client as the initiator – H3C Technologies H3C S12500-X Series Switches User Manual

64

Value Type

Description

0x02 EAPOL-Logoff

The client sends an EAPOL-Logoff message to tell the network access
device that it is logging off.

•

Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or
EAPOL-Logoff, this field is set to 0, and no Packet body field follows.

•

Packet body—Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet body
field contains an EAP packet.

188B

EAP over RADIUS

RADIUS adds two attributes, EAP-Message and Message-Authenticator, for supporting EAP
authentication. For the RADIUS packet format, see "

754H

Configuring AAA

."

414B

EAP-Message

RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in

755H

Figure 25

. The Type field

takes 79, and the Value field can be up to 253 bytes. If an EAP packet is longer than 253 bytes, RADIUS

encapsulates it in multiple EAP-Message attributes.

Figure 25 EAP-Message attribute format

415B

Message-Authenticator

RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute

to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum

is different from the Message-Authenticator attribute value. The Message-Authenticator prevents EAP
authentication packets from being tampered with during EAP authentication.

Figure 26 Message-Authenticator attribute format

33B

Initiating 802.1X authentication

Both the 802.1X client and the access device can initiate 802.1X authentication.

189B

802.1X client as the initiator

The client sends an EAPOL-Start packet to the access device to initiate 802.1X authentication. The

destination MAC address of the packet is the IEEE 802.1X specified multicast address

01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and