3Com Switch 7750 Configuration Guide Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

461

462

463

464

465

466

467

468

469

470

466 CHAPTER 46: 802.1X CONFIGURATION

■ PEAP creates and uses TLS security channels to ensure data integrity and then

performs new EAP negotiations to verify supplicant systems.

Figure 119 describes the basic EAP-MD5 authentication procedure.

Figure 119 802.1x authentication procedure (in EAP relay mode)

The detailed procedure is as follows.

■ A supplicant system launches an 802.1x client to initiate an access request

through the sending of an EAPoL-start packet to the switch, with its user name

and password provided. The 802.1x client program then forwards the packet

to the switch to start the authentication process.

■ Upon receiving the authentication request packet, the switch sends an

EAP-request/identity packet to ask the 802.1x client for the user name.

■ The 802.1x program responds by sending an EAP-response/identity packet to

the switch with the user name included. The switch then encapsulates the

packet in a RADIUS Access-Request packet and forwards it to the RADIUS

server.

■ Upon receiving the user name from the switch, the RADIUS server retrieves the

user name, finds the corresponding password by matching the user name in its

Supplicant

system

Sw itc h

RA DIUS s er v er

EAPoL

EAPoR

EAPoL-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request

(EAP-Res pons e/Identity)

RADIUS Access-Challenge

(EAP-Request/MD5 Challenge)

RADIUS Access-Accept

(EAP-Success)

RADIUS Access-Request

(EAP-Response/MD5 Challenge)

Port authorized

Handshake timer time out

Handshake requesting packet

[EAP-Request/Identity]

Handshake response packet

[EAP-Response/Identity]

EAPoL-Logoff

......

Supplicant

system

Sw itc h

RA DIUS s er v er

-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request

(EAP-Res pons e/Identity)

RADIUS Access-Challenge

(EAP-Request/MD5 Challenge)

RADIUS Access-Accept

(EAP-Success)

RADIUS Access-Request

(EAP-Response/MD5 Challenge)

Port authorized

Handshake timer time out

Handshake requesting packet

[EAP-Request/Identity]

Handshake response packet

[EAP-Response/Identity]

-Logoff

......

Supplicant

system

Sw itc h

RA DIUS s er v er

-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request

(EAP-Res pons e/Identity)

RADIUS Access-Challenge

(EAP-Request/MD5 Challenge)

RADIUS Access-Accept

(EAP-Success)

RADIUS Access-Request

(EAP-Response/MD5 Challenge)

Port accepted

Handshake timer time o

Handshake requesting packet

[EAP-Request/Identity]

Handshake response packet

[EAP-Response/Identity]

-Logoff

......

Port rejected

Supplicant

system

Sw itc h

RA DIUS s er v er

-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request

(EAP-Res pons e/Identity)

RADIUS Access-Challenge

(EAP-Request/MD5 Challenge)

RADIUS Access-Accept

(EAP-Success)

RADIUS Access-Request

(EAP-Response/MD5 Challenge)

Port authorized

Handshake timer time out

Handshake requesting packet

[EAP-Request/Identity]

Handshake response packet

[EAP-Response/Identity]

-Logoff

......

Supplicant

system

Sw itc h

RA DIUS s er v er

-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request

(EAP-Res pons e/Identity)

RADIUS Access-Challenge

(EAP-Request/MD5 Challenge)

RADIUS Access-Accept

(EAP-Success)

RADIUS Access-Request

(EAP-Response/MD5 Challenge)

Port authorized

Handshake timer time out

Handshake requesting packet

[EAP-Request/Identity]

Handshake response packet

[EAP-Response/Identity]

-Logoff

......

Supplicant

system

Sw itc h

RA DIUS s er v er

-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request

(EAP-Res pons e/Identity)

RADIUS Access-Challenge

(EAP-Request/MD5 Challenge)

RADIUS Access-Accept

(EAP-Success)

RADIUS Access-Request

(EAP-Response/MD5 Challenge)

Port authorized

Handshake timer time out

Handshake requesting packet

[EAP-Request/Identity]

Handshake response packet

[EAP-Response/Identity]

-Logoff

......

Supplicant

system

Sw itc h

RA DIUS s er v er

-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request

(EAP-Res pons e/Identity)

RADIUS Access-Challenge

(EAP-Request/MD5 Challenge)

RADIUS Access-Accept

(EAP-Success)

RADIUS Access-Request

(EAP-Response/MD5 Challenge)

Port accepted

Handshake timer time o

Handshake requesting packet

[EAP-Request/Identity]

Handshake response packet

[EAP-Response/Identity]

-Logoff

......

Port rejected

Supplicant

system

Sw itc h

RA DIUS s er v er

EAPoL

EAPoR

EAPoL-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request

(EAP-Res pons e/Identity)

RADIUS Access-Challenge

(EAP-Request/MD5 Challenge)

RADIUS Access-Accept

(EAP-Success)

RADIUS Access-Request

(EAP-Response/MD5 Challenge)

Port authorized

Handshake timer time out

Handshake requesting packet

[EAP-Request/Identity]

Handshake response packet

[EAP-Response/Identity]

EAPoL-Logoff

......

Supplicant

system

Sw itc h

RA DIUS s er v er

EAPoL

EAPoR

EAPoL-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request

(EAP-Res pons e/Identity)

RADIUS Access-Challenge

(EAP-Request/MD5 Challenge)

RADIUS Access-Accept

(EAP-Success)

RADIUS Access-Request

(EAP-Response/MD5 Challenge)

Port authorized

Handshake timer time out

Handshake requesting packet

[EAP-Request/Identity]

Handshake response packet

[EAP-Response/Identity]

EAPoL-Logoff

......

Supplicant

system

Sw itc h

RA DIUS s er v er

-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request

(EAP-Res pons e/Identity)

RADIUS Access-Challenge

(EAP-Request/MD5 Challenge)

RADIUS Access-Accept

(EAP-Success)

RADIUS Access-Request

(EAP-Response/MD5 Challenge)

Port authorized

Handshake timer time out

Handshake requesting packet

[EAP-Request/Identity]

Handshake response packet

[EAP-Response/Identity]

-Logoff

......

Supplicant

system

Sw itc h

RA DIUS s er v er

-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request

(EAP-Res pons e/Identity)

RADIUS Access-Challenge

(EAP-Request/MD5 Challenge)

RADIUS Access-Accept

(EAP-Success)

RADIUS Access-Request

(EAP-Response/MD5 Challenge)

Port accepted

Handshake timer time o

Handshake requesting packet

[EAP-Request/Identity]

Handshake response packet

[EAP-Response/Identity]

-Logoff

......

Port rejected

Supplicant

system

Sw itc h

RA DIUS s er v er

-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request

(EAP-Res pons e/Identity)

RADIUS Access-Challenge

(EAP-Request/MD5 Challenge)

RADIUS Access-Accept

(EAP-Success)

RADIUS Access-Request

(EAP-Response/MD5 Challenge)

Port authorized

Handshake timer time out

Handshake requesting packet

[EAP-Request/Identity]

Handshake response packet

[EAP-Response/Identity]

-Logoff

......

Supplicant

system

Sw itc h

RA DIUS s er v er

-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request

(EAP-Res pons e/Identity)

RADIUS Access-Challenge

(EAP-Request/MD5 Challenge)

RADIUS Access-Accept

(EAP-Success)

RADIUS Access-Request

(EAP-Response/MD5 Challenge)

Port authorized

Handshake timer time out

Handshake requesting packet

[EAP-Request/Identity]

Handshake response packet

[EAP-Response/Identity]

-Logoff

......

Supplicant

system

Sw itc h

RA DIUS s er v er

-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request

(EAP-Res pons e/Identity)

RADIUS Access-Challenge

(EAP-Request/MD5 Challenge)

RADIUS Access-Accept

(EAP-Success)

RADIUS Access-Request

(EAP-Response/MD5 Challenge)

Port authorized

Handshake timer time out

Handshake requesting packet

[EAP-Request/Identity]

Handshake response packet

[EAP-Response/Identity]

-Logoff

......

Supplicant

system

Sw itc h

RA DIUS s er v er

-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-Request

(EAP-Res pons e/Identity)

RADIUS Access-Challenge

(EAP-Request/MD5 Challenge)

RADIUS Access-Accept

(EAP-Success)

RADIUS Access-Request

(EAP-Response/MD5 Challenge)

Port accepted

Handshake timer time o

Handshake requesting packet

[EAP-Request/Identity]

Handshake response packet

[EAP-Response/Identity]

-Logoff

......

Port rejected