4 the encapsulation of eap attributes, 5 the authentication methods of 802.1x – QTECH QSW-3400 Инструкция по настройке User Manual

Page 325

background image

+7(495) 797-3311 www.qtech.ru
Москва, Новозаводская ул., 18, стр. 1

324

40.1.4 The Encapsulation of EAP Attributes

RADIUS adds two attribute to support EAP authentication: EAP-Message and Message-
Authenticator. Please refer to the Introduction of RADIUS protocol in “AAA-RADIUS-

HWTACACS op

eration” to check the format of RADIUS messages.

1. EAP-Message

As illustrated in the next figure, this attribute is used to encapsulate EAP packet, the type code

is 79, String domain should be no longer than 253 bytes. If the data length in an EAP packet is

larger than 253 bytes, the packet can be divided into fragments, which then will be

encapsulated in several EAP-Messages attributes in their original order.

the Encapsulation of EAP-Message Attribute

2. Message-Authenticator

As illustrated in the next figure, this attribute is used in the process of using authentication

methods like EAP and CHAP to prevent the access request packets from being eavesdropped.

Message-Authenticator should be included in the packets containing the EAP-Message

attribute, or the packet will be dropped as an invalid one.

Message-Authenticator Attribute

40.1.5 The Authentication Methods of 802.1x

The authentication can either be started by supplicant system initiatively or by devices. When

the device detects unauthenticated users to access the network, it will send supplicant system

EAP-Request/Identity messages to start authentication. On the other hand, the supplicant

system can send EAPOL-Start message to the device via supplicant software.

802.1 x systems supports EAP relay method and EAP termination method to implement

authentication with the remote RADIUS server. The following is the description of the process

of these two authentication methods, both started by the supplicant system.