6 the authentication methods of 802.1x, 1 eap relay mode – PLANET XGS3-24040 User Manual

Chapter 47 802.1x Configuration

47-6

CHAP protocol message based on the RADIUS protocol between the device and the RADIUS sever.

In 802.1x authentication system, in order to implement the identity authentication and the network permission,

user should install the authentication client software, pass client login authentication progress and then

achieve authenticated communication with DCBI server. But some customers do not want to install client

software, and they hope to authenticate by the internet explorer simplified. So in order to satisfy the new

demand from the user and realize the platforms irrelevance of the authentication client, the Web

authentication function based on 802.1x is designed for authentication.

The Web authentication is still based on IEEE 802.1x authentication system, the Java Applet in internet

explorer is instead of the prior client software, the devises is layer 3 switch, authentication server is the

standardized RADIUS server, and the authentication message is loaded in the EAP message to communicate.

The Ethernet frame can’t be send because of the Java Applet used in client, so EAP message can’t be

encapsulated in the Ethernet frame to send, EAP message should be loaded on the UDP protocol instead of

EAPOU, in order to achieve the authentication and communication between web client and web

authentication proxy switch. The standardized EAPOR protocol is still used between the authentication proxy

switch and authentication server.

47.1.6 The Authentication Methods of 802.1x

The authentication can either be started by supplicant system initiatively or by devices. When the device

detects unauthenticated users to access the network, it will send supplicant system EAP-Request/Identity

messages to start authentication. On the other hand, the supplicant system can send EAPOL-Start message

to the device via supplicant software.

802.1 x systems supports EAP relay method and EAP termination method to implement authentication with

the remote RADIUS server. The following is the description of the process of these two authentication

methods, both started by the supplicant system.

47.1.6.1 EAP Relay Mode

EAP relay is specified in IEEE 802.1x standard to carry EAP in other high-level protocols, such as EAP over

RADIUS, making sure that extended authentication protocol messages can reach the authentication server

through complicated networks. In general, EAP relay requires the RADIUS server to support EAP attributes:

EAP-Message and Message-Authenticator.

EAP is a widely-used authentication frame to transmit the actual authentication protocol rather than a special

authentication mechanism. EAP provides some common function and allows the authentication mechanisms

expected in the negotiation, which are called EAP Method. The advantage of EAP lies in that EAP mechanism

working as a base needs no adjustment when a new authentication protocol appears. The following figure

illustrates the protocol stack of EAP authentication method.