beautypg.com

Eap termination – H3C Technologies H3C S7500E Series Switches User Manual

Page 98

background image

5-8

7) When receiving the EAP-Request/MD5 Challenge packet, the client uses the offered

challenge to encrypt the password part (this process is not reversible), creates an

EAP-Response/MD5 Challenge packet, and then sends the packet to the device.

8) After receiving the EAP-Response/MD5 Challenge packet, the device relays the packet in a

RADIUS Access-Request packet to the authentication server.

9) When receiving the RADIUS Access-Request packet, the RADIUS server compares the

password information encapsulated in the packet with that generated by itself. If the two

are identical, the authentication server considers the user valid and sends to the device a

RADIUS Access-Accept packet.

10) Upon receiving the RADIUS Access-Accept packet, the device opens the port to grant the

access request of the client.

11) After the client gets online, the device periodically sends handshake requests to the client

to check whether the client is still online. By default, if two consecutive handshake attempts

end up with failure, the device concludes that the client has logged off and performs the

necessary operations, guaranteeing that the device always knows when a client logs off.

12) After receiving the handshake requests, the client returns responses to the device to

indicate the user is still online.

13) The client can also send an EAPOL-Logoff packet to the device to log off unsolicitedly. In

this case, the device changes the status of the port from authorized to unauthorized and

sends an EAP-Failure packet to the client.

In EAP relay mode, a client must use the same authentication method as that of the RADIUS

server. On the device, however, you only need to execute the dot1x authentication-method

eap command to enable EAP relay.

EAP termination

In EAP termination mode, EAP packets are terminated at the device and then repackaged into

the PAP or CHAP attributes of RADIUS and transferred to the RADIUS server for authentication,

authorization, and accounting.

Figure 5-8

shows the message exchange procedure with CHAP

authentication.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: