Unsolicited triggering of the device, Authentication process of 802.1x, Eap relay – H3C Technologies H3C WX6000 Series Access Controllers User Manual

35-6

Some devices in the network may not support multicast packets with the above destination address,

and unable to receive authentication requests of clients as a result. To solve this problem, the device

also supports EAPOL-Start packets using a broadcast MAC address as the destination address. This

solution requires the H3C iNode 802.1X client.

Unsolicited triggering of the device

The device can trigger authentication by sending EAP-Request/Identity packets to unauthenticated

clients periodically (every 30 seconds by default). This method can be used to authenticate clients that

cannot send EAPOL-Start packets unsolicitedly to trigger authentication, for example, a client running

the 802.1X client application provided by Windows XP.

Authentication Process of 802.1X

An 802.1X device communicates with a remote RADIUS server in two modes: EAP relay and EAP

termination. The following describes the 802.1X authentication procedure in the two modes, which is

triggered by the client in the examples.

EAP relay

EAP relay is defined in IEEE 802.1X. In this mode, EAP packets are carried in an upper layer protocol,

such as RADIUS, so that they can go through complex networks and reach the authentication server.

Generally, relaying EAP requires that the RADIUS server support the EAP attributes of EAP-Message

and Message-Authenticator, which are used to encapsulate EAP packets and protect RADIUS packets

carrying the EAP-Message attribute respectively.

Figure 35-8

shows the message exchange procedure with EAP-MD5.