beautypg.com

Eap relay mode – H3C Technologies H3C S3600 Series Switches User Manual

Page 479

background image

1-6

EAP relay mode

This mode is defined in 802.1x. In this mode, EAP packets are encapsulated in higher level protocol

(such as EAPoR) packets to enable them to successfully reach the authentication server. Normally, this

mode requires that the RADIUS server support the two newly-added fields: the EAP-message field

(with a value of 79) and the Message-authenticator field (with a value of 80).

Four authentication ways, namely EAP-MD5, EAP-TLS (transport layer security), EAP-TTLS (tunneled

transport layer security), and Protected Extensible Authentication Protocol (PEAP), are available in the

EAP relay mode.

z

EAP-MD5 authenticates the supplicant system. The RADIUS server sends MD5 keys (contained in

EAP-request/MD5 challenge packets) to the supplicant system, which in turn encrypts the

passwords using the MD5 keys.

z

EAP-TLS allows the supplicant system and the RADIUS server to check each other’s security

certificate and authenticate each other’s identity, guaranteeing that data is transferred to the right

destination and preventing data from being intercepted.

z

EAP-TTLS is a kind of extended EAP-TLS. EAP-TLS implements bidirectional authentication

between the client and authentication server. EAP-TTLS transmit message using a tunnel

established using TLS.

z

PEAP creates and uses TLS security channels to ensure data integrity and then performs new EAP

negotiations to verify supplicant systems.

Figure 1-8

describes the basic EAP-MD5 authentication procedure.

Figure 1-8 802.1x authentication procedure (in EAP relay mode)

Supplicant system

PAE

RADUIS

server

EAPOL

EAPOR

EAPOL-Start

EAP- Request / Identity

EAP- Response / Identity

EAP- Request / MD5 challenge

EAP-Success

EAP- Response / MD5 challenge

RADIUS Access - Request

(EAP- Response / Identity)

RADIUS Access -Challenge

( EAP- Request / MD5 challenge)

RADIUS Access -Accept

(EAP-Success)

RADIUS Access - Request

( EAP- Response /

MD5 challenge)

Port authorized

Handshake timer

Handshake request

[ EAP- Request / Identity ]

Handshake response

[ EAP- Response / Identity ]

EAPOL-Logoff

......

Port unauthorized

Authenticator system

PAE

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: