1x timers – H3C Technologies H3C WX6000 Series Access Controllers User Manual

35-9

Figure 35-9 802.1X authentication procedure in EAP termination mode

EAPOL

EAPOR

EAPOL-Start

EAP-Request / Identity

EAP-Response / Identity

EAP-Request / MD5 challenge

EAP-Success

EAP-Response / MD5 challenge

Handshake request

( EAP-Request / Identity )

Handshake response

( EAP-Response / Identity )

EAPOL-Logoff

......

Client

Device

Server

Port authorized

Handshake timer

Port unauthorized

RADIUS Access-Request

(CHAP-Response / MD5 challenge)

RADIUS Access-Accept

(CHAP-Success)

Different from the authentication process in EAP relay mode, it is the device that generates the random

challenge for encrypting the user password information in EAP termination authentication process.

Consequently, the device sends the challenge together with the username and encrypted password

information from the client to the RADIUS server for authentication.

802.1X Timers

This section describes the timers used on an 802.1X device to guarantee that the client, the device, and

the RADIUS server can interact with each other in a reasonable manner.

Username request timeout timer: This timer is triggered by the device in two cases. The first case is

when the client requests for authentication. The device starts this timer when it sends an

EAP-Request/Identity packet to a client. If it receives no response before this timer expires, the

device retransmits the request. The second case is when the device authenticates the 802.1X

client that cannot request for authentication actively. The device sends multicast

EAP-Request/Identity packets periodically through the port enabled with 802.1X function. In this

case, this timer sets the interval between sending the multicast EAP-Request/Identity packets.