H3C Technologies H3C WX6000 Series Access Controllers User Manual

35-7

Figure 35-8 802.1X authentication procedure in EAP relay mode

EAPOL

EAPOR

EAPOL-Start

EAP-Request / Identity

EAP-Response / Identity

EAP-Request / MD5 challenge

EAP-Success

EAP-Response / MD5 challenge

RADIUS Access-Request

(EAP-Response / Identity)

RADIUS Access-Challenge

(EAP-Request / MD5 challenge)

RADIUS Access-Accept

(EAP-Success)

RADIUS Access-Request

(EAP-Response / MD5 challenge)

Handshake request

( EAP-Request / Identity )

Handshake response

( EAP-Response / Identity )

EAPOL-Logoff

......

Client

Device

Server

Port authorized

Handshake timer

Port unauthorized

1) When a user launches the 802.1X client software and enters the registered username and

password, the 802.1X client software generates an EAPOL-Start frame and sends it to the device

to initiate an authentication process.

2) Upon receiving the EAPOL-Start frame, the device responds with an EAP-Request/Identity packet

for the username of the client.

3) When the client receives the EAP-Request/Identity packet, it encapsulates the username in an

EAP-Response/Identity packet and sends the packet to the device.

4) Upon receiving the EAP-Response/Identity packet, the device relays the packet in a RADIUS

Access-Request packet to the authentication server.

5) When receiving the RADIUS Access-Request packet, the RADIUS server compares the identify

information against its user information table to obtain the corresponding password information.

Then, it encrypts the password information using a randomly generated challenge, and sends the

challenge information through a RADIUS Access-Challenge packet to the device.

6) After receiving the RADIUS Access-Challenge packet, the device relays the contained

EAP-Request/MD5 Challenge packet to the client.