3Com Switch 7750 Configuration Guide
394 CHAPTER 39: 802.1X CONFIGURATION
Three authentication ways, EAP-MD5, EAP-TLS (transport layer security), and PEAP
(protected extensible authentication protocol), are available for the EAP relay
mode.
■ EAP-MD5 authenticates the supplicant system. The RADIUS server sends MD5
keys (contained in EAP-request/MD5 challenge packets) to the supplicant
system, which in turn encrypts the passwords using the MD5 keys.
■ EAP-TLS authenticates both the supplicant system and the RADIUS server by
checking their security licenses to prevent data from being stolen.
■ PEAP creates and uses TLS security channels to ensure data integrity and then
performs new EAP negotiations to verify supplicant systems.
Figure 95 describes the basic EAP-MD5 authentication procedure.
Figure 95 802.1x authentication procedure (in EAP relay mode)
The detailed procedure is as follows.
■ A supplicant system launches an 802.1x client to initiate an access request
through the sending of an EAPoL-start packet to the switch, with its user name
and password provided. The 802.1x client program then forwards the packet
to the switch to start the authentication process.
Supplicant system
PAE
RADUIS
server
EAPOL EAPOR
EAPOL-Start
EAP- Request / Identity
EAP- Response / Identity
EA P- Request / MD5 chall enge
EAP-Success
EAP- Response / MD5 challenge
RADIUS Access - Request
(EAP- Response / Identity)
RADIUS Access -Challenge
( EAP- Request / MD5 challenge)
RADIUS Access -Accept
(EAP-Success)
RADIUS Access - Request
( EAP- Response / MD5 challenge)
Port authorized
Handshake timer
Handshake request
[ EAP- Request / Identity ]
Handshake response
[ EAP- Response / Identity ]
EAPOL-Logoff
......
Port unauthorized
Authenticator system
PAE