3Com Switch 4200G Configuration Guide
Introduction to 802.1x 153
Figure 48 The format of an EAP-message field
The Message-authenticator field, as shown in Figure 49, is used to prevent
unauthorized interception of access requesting packets during authentications using
CHAP, EAP, and so on. A packet with the EAP-message field must also have the
Message-authenticator field, otherwise the packet is regarded as invalid and is
discarded.
Figure 49 The format of an Message-authenticator field
802.1x Authentication
Procedure
An S4200G series switch can authenticate supplicant systems in EAP terminating
mode or EAP relay mode.
EAP relay mode
This mode is defined in 802.1x. In this mode, EAP-packets are encapsulated in higher
level protocol (such as EAPoR) packets to allow them successfully reach the
authentication server. This mode normally requires the RADIUS server to support the
two newly-added fields: the EAP-message field (with a value of 79) and the
Message-authenticator field (with a value of 80).
Three authentication ways, EAP-MD5, EAP-TLS (transport layer security), and PEAP
(protected extensible authentication protocol), are available for the EAP relay mode.
■ EAP-MD5 authenticates the supplicant system. The RADIUS server sends MD5 keys
(contained in EAP-request/MD5 challenge packets) to the supplicant system, which
in turn encrypts the passwords using the MD5 keys.
■ EAP-TLS authenticates both the supplicant system and the RADIUS server by
checking their security licenses to prevent data from being stolen.
■ PEAP creates and uses TLS security channels to ensure data integrity and then
performs new EAP negotiations to verify supplicant systems.
Figure 50 describes the basic EAP-MD5 authentication procedure.
Type Length String
012
EAP packet
Type Length String
012
EAP packet
type=80 length=18 string...
012 17