beautypg.com

4 the encapsulation of eap attributes, 5 web authentication proxy based on 802.1x – PLANET XGS3-24040 User Manual

Page 465

background image

Chapter 47 802.1x Configuration

47-5

Identifier: to assist matching the Request and Response messages.

Length: the length of the EAP packet, covering the domains of Code, Identifier, Length and Data, in byte.

Data: the content of the EAP packet, depending on the Code type.

47.1.4 The Encapsulation of EAP Attributes

RADIUS adds two attribute to support EAP authentication: EAP-Message and Message-Authenticator. Please

refer to the Introduction of RADIUS protocol in “AAA-RADIUS-HWTACACS operation” to check the format of

RADIUS messages.

1. EAP-Message

As illustrated in the next figure, this attribute is used to encapsulate EAP packet, the type code is 79, String

domain should be no longer than 253 bytes. If the data length in an EAP packet is larger than 253 bytes, the

packet can be divided into fragments, which then will be encapsulated in several EAP-Messages attributes in

their original order.

Figure

2-6 the Encapsulation of EAP-Message Attribute

2. Message-Authenticator

As illustrated in the next figure, this attribute is used in the process of using authentication methods like EAP

and CHAP to prevent the access request packets from being eavesdropped. Message-Authenticator should

be included in the packets containing the EAP-Message attribute, or the packet will be dropped as an invalid

one.

Figure

2-7 Message-Authenticator Attribute

47.1.5 Web Authentication Proxy based on 802.1x

The perspective of prior 802.1x authentication system abided by IEEE 802.1 x authentication systems on

architecture, working mechanism, business processes. The client authentication pattern of prior

authentication system privately. The devices are layer 2 switch and the authentication server is RADIUS

server. EAP protocol is used for the authentication message pattern. EAPOL encapsulation is used between

client and the authentication proxy switch, that is to say, EAP message is encapsulated in the Ethernet frame

to authenticate and communicate, however, EAPOR encapsulation is used between authentication proxy

switch and authentication server, that is to say, EAP message is loaded on the Radius protocol to

authenticate and communicate. it can be also forward by the device, transmit the PAP protocol message or

See also other documents in the category PLANET Routers: