R0106-HP MSR Router Series Security Configuration Guide(V7)
71
Figure 26 EAP-Message attribute format
Message-Authenticator
RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute
to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum
is different from the Message-Authenticator attribute value. The Message-Authenticator prevents EAP
authentication packets from being tampered with during EAP authentication.
Figure 27 Message-Authenticator attribute format
Initiating 802.1X authentication
Both the 802.1X client and the access device can initiate 802.1X authentication.
802.1X client as the initiator
The client sends an EAPOL-Start packet to the access device to initiate 802.1X authentication. The
destination MAC address of the packet is the IEEE 802.1X specified multicast address
01-80-C2-00-00-03 or the broadcast MAC address. Broadcast-initiated 802.1X authentication is
supported only on the routers installed with the HMIM-24GSW/24GSWP and HMIM-8GSW Layer 2
switching modules.
Access device as the initiator
The access device initiates authentication, if a client cannot send EAPOL-Start packets. One example is
the 802.1X client available with Windows XP.
The access device supports the following modes:
• Multicast trigger mode—The access device multicasts Identity EAP-Request packets periodically
(every 30 seconds by default) to initiate 802.1X authentication.
• Unicast trigger mode—Upon receiving a frame with the source MAC address not in the MAC
address table, the access device sends an Identity EAP-Request packet out of the receiving port to
the unknown MAC address. The device retransmits the packet if no response has been received
within a certain time interval.
802.1X authentication procedures
802.1X authentication has two methods: EAP relay and EAP termination. You choose either mode
depending on support of the RADIUS server for EAP packets and EAP authentication methods.