H3C Technologies H3C S7500E Series Switches User Manual

5-7

Figure 5-7 802.1X authentication procedure in EAP relay mode

EAPOL

EAPOR

(1) EAPOL-Start

(2) EAP-Request/Identity

(3) EAP-Response/Identity

(6) EAP-Request/MD5 challenge

(10) EAP-Success

(7) EAP-Response/MD5 challenge

(4) RADIUS Access-Request

(EAP-Response/Identity)

(5) RADIUS Access-Challenge
(EAP-Request/MD5 challenge)

(9) RADIUS Access-Accept

(EAP-Success)

(8) RADIUS Access-Request

(EAP-Response/MD5 challenge)

(11) Handshake request

(EAP-Request/Identity )

(13) EAPOL-Logoff

......

Client

Device

Server

Port authorized

Handshake timer

Port unauthorized

(12) Handshake response

(EAP-Response/Identity )

1) When a user launches the 802.1X client software and enters the registered username and

password, the 802.1X client software generates an EAPOL-Start packet and sends it to the

device to initiate an authentication process.

2) Upon receiving the EAPOL-Start packet, the device responds with an EAP-Request/Identity

packet for the username of the client.

3) When the client receives the EAP-Request/Identity packet, it encapsulates the username in

an EAP-Response/Identity packet and sends the packet to the device.

4) Upon receiving the EAP-Response/Identity packet, the device relays the packet in a

RADIUS Access-Request packet to the authentication server.

5) When receiving the RADIUS Access-Request packet, the RADIUS server compares the

identify information against its user information database to obtain the corresponding

password information. Then, it encrypts the password information using a randomly

generated challenge, and sends the challenge information through a RADIUS

Access-Challenge packet to the device.

6) After receiving the RADIUS Access-Challenge packet, the device relays the contained

EAP-Request/MD5 Challenge packet to the client.