Unsolicited triggering of a client, Unsolicited triggering of the device, Authentication process of 802.1x – H3C Technologies H3C S5120 Series Switches User Manual

1-6

Unsolicited triggering of a client

A client initiates authentication by sending an EAPOL-Start packet to the device. The destination

address of the packet is 01-80-C2-00-00-03, the multicast address specified by the IEEE 802.1X

protocol.

Some devices in the network may not support multicast packets with the above destination address,

causing the authentication device unable to receive the authentication request of the client. To solve the

problem, the device also supports EAPOL-Start packets whose destination address is a broadcast MAC

address. In this case, the H3C iNode 802.1X client is required.

Unsolicited triggering of the device

The device can trigger authentication by sending EAP-Request/Identity packets to unauthenticated

clients periodically (every 30 seconds by default). This method can be used to authenticate clients

which cannot send EAPOL-Start packets and therefore cannot trigger authentication, for example, the

802.1X client provided by Windows XP.

Authentication Process of 802.1X

An 802.1X device communicates with a remotely located RADIUS server in two modes: EAP relay and

EAP termination. The following description takes the EAP relay as an example to show the 802.1X

authentication process.

EAP relay

EAP relay is defined in IEEE 802.1X. In this mode, EAP packets are carried in an upper layer protocol,

such as RADIUS, so that they can go through complex networks and reach the authentication server.

Generally, relaying EAP requires that the RADIUS server support the EAP attributes of EAP-Message

and Message-Authenticator, which are used to encapsulate EAP packets and protect RADIUS packets

carrying the EAP-Message attribute respectively.

Figure 1-8

shows the EAP packet exchange procedure with EAP-MD5.