beautypg.com

4 802.1x authentication procedure, I. eap relay mode, 4 802.1x authentication procedure -6 – H3C Technologies H3C S3100 Series Switches User Manual

Page 279

background image

Operation Manual – 802.1x

H3C S3100-52P Ethernet Switch

Chapter 1 802.1x Configuration

1-6

Type

Length

String

0

1

2

EAP packet

Type

Length

String

0

1

2

EAP packet

Figure 1-6

The format of an EAP-message field

The Message-authenticator field, whose format is shown in Figure 1-7, is used to
prevent unauthorized interception to access requesting packets during authentications
using CHAP, EAP, and so on. A packet with the EAP-message field must also have the
Message-authenticator field. Otherwise, the packet is regarded as invalid and is
discarded.

type=80

length=18

stri

0

1

2

ng

17

type=80

length=18

stri

0

1

2

ng

17

d

Figure 1-7

The format of an Message-authenticator fiel

1.1.4 802.1x Authentication Procedure

A H3C S3100-52P Ethernet switch can authenticate supplicant systems in EAP
terminating mode or EAP relay mode.

I. EAP relay mode

This mode is defined in 802.1x. In this mode, EAP-packets are encapsulated in higher
level protocol (such as EAPoR) packets to enable them to successfully reach the
authentication server. Normally, this mode requires that the RADIUS server support the
two newly-added fields: the EAP-message field (with a value of 79) and the
Message-authenticator field (with a value of 80).
Four authentication ways, namely EAP-MD5, EAP-TLS (transport layer security),
EAP-TTLS, and PEAP (protected extensible authentication protocol), are available in
the EAP relay mode.

z

EAP-MD5 authenticates the supplicant system. The RADIUS server sends MD5
keys (contained in EAP-request/MD5 challenge packets) to the supplicant system,
which in turn encrypts the passwords using the MD5 keys.

z

EAP-TLS authenticates both the supplicant system and the RADIUS server by
checking their security licenses to prevent data from being stolen.

z

EAP-TTLS is a kind of extended EAP-TLS. EAP-TLS implements bidirectional
authentication between the client and authentication server. EAP-TTLS transmit
message using a tunnel established using TLS.

z

PEAP creates and uses TLS security channels to ensure data integrity and then
performs new EAP negotiations to verify supplicant systems.

See also other documents in the category H3C Technologies Routers: