1x authentication procedures – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

108

•

Unicast trigger mode—Upon receiving a frame with the source MAC address not in the MAC

address table, the access device sends an Identity EAP-Request packet out of the receiving port to
the unknown MAC address. It retransmits the packet if no response has been received within a

certain time interval.

802.1X authentication procedures

802.1X authentication has two approaches: EAP relay and EAP termination. You choose either mode
depending on the support of the RADIUS server for EAP packets and EAP authentication methods.
EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPoR packets to send

authentication information to the RADIUS server, as shown in

Figure 58

.

Figure 58 EAP relay

NOTE:
•

In EAP relay mode, the client must use the same authentication method as the RADIUS server. On the
network access device, you only need to execute the dot1x authentication-method eap command to
enable EAP relay.

•

Some network access devices provide the EAP server function so you can use EAP relay even if the
RADIUS server does not support any EAP authentication method or no RADIUS server is available. For

the local EAP authentication configuration procedure, see "Configuring AAA" in this configuration
guide.

In EAP termination mode, the network access device terminates the EAP packets received from the client,
encapsulates the client authentication information in standard RADIUS packets, and uses (Password

Authentication Protocol) PAP or (Password Authentication Protocol) CHAP to authenticate to the RADIUS

server, as shown in

Figure 59

.

Figure 59 EAP termination