1x authentication procedures, Access device as the initiator – H3C Technologies H3C S12500-X Series Switches User Manual

65

the authentication server does not support the multicast address, you must use an 802.1X client (for

example, the H3C iNode 802.1X client) that can send broadcast EAPOL-Start packets.

190B

Access device as the initiator

The access device initiates authentication, if a client cannot send EAPOL-Start packets. One example is
the 802.1X client available with Windows XP.
The access device supports the following modes:

•

Multicast trigger mode—The access device multicasts Identity EAP-Request packets periodically
(every 30 seconds by default) to initiate 802.1X authentication.

•

Unicast trigger mode—Upon receiving a frame with the source MAC address not in the MAC
address table, the access device sends an Identity EAP-Request packet out of the receiving port to

the unknown MAC address. It retransmits the packet if no response has been received within a
certain time interval.

34B

802.1X authentication procedures

802.1X authentication has two methods: EAP relay and EAP termination. You choose either mode

depending on support of the RADIUS server for EAP packets and EAP authentication methods.

•

EAP relay mode:
EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPOR packets to send
authentication information to the RADIUS server, as shown in

756H

Figure 27

.

Figure 27 EAP relay

In EAP relay mode, the client must use the same authentication method as the RADIUS server. On
the network access device, you only need to use the dot1x authentication-method eap command

to enable EAP relay.

•

EAP termination mode:
In EAP termination mode, the network access device terminates the EAP packets received from the

client, encapsulates the client authentication information in standard RADIUS packets, and uses
PAP or CHAP to authenticate to the RADIUS server, as shown in

757H

Figure 28

.

Figure 28 EAP termination