3Com Switch 7750 Configuration Guide
Introduction to 802.1x 395
■ Upon receiving the authentication request packet, the switch sends an
EAP-request/identity packet to ask the 802.1x client for the user name.
■ The 802.1x program responds by sending an EAP-response/identity packet to
the switch with the user name included. The switch then encapsulates the
packet in a RADIUS Access-Request packet and forwards it to the RADIUS
server.
■ Upon receiving the user name from the switch, the RADIUS server retrieves the
user name, finds the corresponding password by matching the user name in its
database, encrypts the password using a randomly-generated key, and sends
the key to the switch through an RADIUS access-challenge packet. The switch
then sends the key to the 802.1x client.
■ Upon receiving the key(encapsulated in an EAP-request/MD5 challenge packet)
from the switch, the client program encrypts the password of the supplicant
system with the key and sends the encrypted password (contained in an
EAP-response/MD5 challenge packet) to the RADIUS server through the switch.
(The encryption is irreversible.)
■ The RADIUS server compares the received encrypted password (contained in a
RADIUS access-request packet) with the locally-encrypted password. If the two
match, it will then send feedbacks (through a RADIUS access-accept packet
and an EAP-success packet) to the switch to indicate that the supplicant system
is authorized.
■ The switch changes the state of the corresponding port to accepted state to
allow the supplicant system access the network.
■ The supplicant system can also terminate the authenticated state by sending
EAPoL-Logoff packets to the switch. The switch then changes the port state
from accepted to rejected.
n
In EAP relay mode, packets are not modified during transmission. Therefore if one
of the three ways are used (that is, PEAP, EAP-TLS, or EAP-MD5) to authenticate,
ensure that the authenticating ways used on the supplicant system and the
RADIUS server are the same. However for the switch, you can simply enable the
EAP relay mode by using the dot1x authentication-method eap command.
EAP terminating mode
In this mode, packet transmission is terminated at authenticator systems and the
EAP packets are converted to RADIUS packets. Authentication and accounting are
accomplished through RADIUS protocol.
In this mode, PAP or CHAP is employed between the switch and the RADIUS
server. The authentication procedure (assuming that CHAP is employed between
the switch and the RADIUS server) is illustrated in Figure 96.