3Com Switch 4200G Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

161

162

163

164

165

166

167

168

169

170

156 CHAPTER 21: 802.1X CONFIGURATION

Figure 51 802.1x authentication procedure (in EAP terminating mode)

The authentication procedure in EAP terminating mode is the same as that in the EAP

relay mode except that the randomly-generated key in the EAP terminating mode is

generated by the switch, and that it is the switch that sends the user name, the

randomly-generated key, and the supplicant system-encrypted password to the

RADIUS server for further authentication.

802.1x Timer In 802.1 x authentication, the following timers are used to ensure that the supplicant

system, the switch, and the RADIUS server interact in an orderly way:

■ Transmission timer: This timer sets the tx-period and is triggered by the switch

when the switch sends a request/identity packet to a supplicant system. The

switch sends another request/identity packet to the supplicant system if the

supplicant system fails to send a reply packet to the switch when this timer times

out.

■ Supplicant system timer: This timer sets the supp-timeout period and is triggered

by the switch when the switch sends a request/challenge packet to a supplicant

system. The switch sends another request/challenge packet to the supplicant

system if the supplicant system fails to respond when this timer times out.

■ Authentication server timer: This timer sets the server-timeout period. The switch

sends another authentication request packet if the authentication server fails to

respond when this timer times out.

Sup plicant

system

Switc h

RADIUS ser ver

EAPOL RADIUS

EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access -Request

(CHAP-Response/MD5 Challenge)

RADIUS Access-Accept

(CHAP-Success)

Port acc e pt ed

Handshake timer ti me out

Handshake request p acket

[EAP-Request/Identity]

Han ds ha ke r eply p ac ket

[EAP-Response/Identity]

EAPOL-Logoff

......

Port rejected

Sup plicant

system

Switc h

RADIUS ser ver

EAPOL RADIUS

EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access -Request

(CHAP-Response/MD5 Challenge)

RADIUS Access-Accept

(CHAP-Success)

Port acc e pt ed

Handshake timer ti me out

Handshake request p acket

[EAP-Request/Identity]

Han ds ha ke r eply p ac ket

[EAP-Response/Identity]

EAPOL-Logoff

......

Port rejected

Sup plicant

system

Switc h

RADIUS ser ver

EAPOL RADIUS

EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access -Request

(CHAP-Response/MD5 Challenge)

RADIUS Access-Accept

(CHAP-Success)

Port acc e pt ed

Handshake timer ti me out

Handshake request p acket

[EAP-Request/Identity]

Han ds ha ke r eply p ac ket

[EAP-Response/Identity]

EAPOL-Logoff

......

Port rejected