3Com Switch 7750 Configuration Guide Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

461

462

463

464

465

466

467

468

469

470

Introduction to 802.1x 465

■ The Type Date field differs according to different types of Request and

Response packets.

Newly added fields for EAP authentication

Two fields, EAP-message and Message-authenticator, are added to a RADIUS

protocol packet for EAP authentication. (Refer to the Introduction to RADIUS

protocol section in the AAA&RADIUS&RADIUS&HWTACACS&EAD Operation

Manual for format of a RADIUS protocol packet.)

The EAP-message field, shown in Figure 117, is used to encapsulate EAP packets.

The maximum size of the string field is 253 bytes. EAP packets with their size

larger than 253 bytes are fragmented and stored in multiple EAP-message fields.

The type code of the EAP-message field is 79.

Figure 117 The format of an EAP-message field

The Message-authenticator field, as shown in Figure 118, can be used to prevent

interception of access request packets during authentications using CHAP, EAP,

and so on. A packet with the EAP-message field must also have the

Message-authenticator field, otherwise the packet is regarded as invalid and is

discarded.

Figure 118 The format of an Message-authenticator field

802.1x Authentication

Procedure

A 3Com Switch 7750 can authenticate supplicant systems in EAP terminating

mode or EAP relay mode.

EAP relay mode

This mode is defined in 802.1x. In this mode, EAP-packets are encapsulated in

higher level protocol (such as EAPoR) packets to allow them successfully reach the

authentication server. This mode normally requires the RADIUS server to support

the two newly-added fields: the EAP-message field (with a value of 79) and the

Message-authenticator field (with a value of 80).

Three authentication ways, EAP-MD5, EAP-TLS (transport layer security), and PEAP

(protected extensible authentication protocol), are available for the EAP relay

mode.

■ EAP-MD5 authenticates the supplicant system. The RADIUS server sends MD5

keys (contained in EAP-request/MD5 challenge packets) to the supplicant

system, which in turn encrypts the passwords using the MD5 keys.

■ EAP-TLS authenticates both the supplicant system and the RADIUS server by

checking their security licenses to prevent data from being stolen.

Type Length String

EAP packet

Type Length String

EAP packet

type=80 length=18 string...

12 17