H3C S7500 Series Ethernet Switches Operation Manual
Operation Manual – 802.1x
H3C S7500 Series Ethernet Switches
Chapter 1 802.1x Configuration
1-7
Supplicant
PA E
Authenticator
PA E
RA DIUS server
EA POL
EA POR
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/MD5 Challenge
EAP-Success
EAP-Response/MD5 Challenge
RADIUS Access-R
(EAP-Response/I
RADIUS Access-Ch
(EAP-Request/MD5 C
equest
dentity)
allenge
hallenge)
RADIUS Access-A
(EAP-Success
RADIUS Access-R
(EAP-Response/MD5 C
ccept
)
equest
hallenge)
Por t
authorized
Handshake timer
Handshake request
[EAP-Request/Identity]
Handshake response
[EAP-Response/Identity]
EAPOL-Logoff
......
Por t
unauthorized
Supplicant
PA E
Sw itc h
RA DIUS server
EA POL
EA POR
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/MD5 Challenge
EAP-Success
EAP-Response/MD5 Challenge
RADIUS Access-R
(EAP-Response/I
RADIUS Access-Ch
(EAP-Request/MD5 C
equest
dentity)
allenge
hallenge)
RADIUS Access-A
(EAP-Success
RADIUS Access-R
(EAP-Response/MD5 C
ccept
)
equest
hallenge)
Por t
authorized
Handshake timer
times out
Handshake request
[EAP-Request/Identity]
Handshake response
[EAP-Response/Identity]
EAPOL-Logoff
......
Por t
unauthorized
Supplicant
PA E
Authenticator
PA E
RA DIUS server
EA POL
EA POR
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/MD5 Challenge
EAP-Success
EAP-Response/MD5 Challenge
RADIUS Access-R
(EAP-Response/I
RADIUS Access-Ch
(EAP-Request/MD5 C
equest
dentity)
allenge
hallenge)
RADIUS Access-A
(EAP-Success
RADIUS Access-R
(EAP-Response/MD5 C
ccept
)
equest
hallenge)
Por t
authorized
Handshake timer
Handshake request
[EAP-Request/Identity]
Handshake response
[EAP-Response/Identity]
EAPOL-Logoff
......
Por t
unauthorized
Supplicant
PA E
Sw itc h
RA DIUS server
EA POL
EA POR
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/MD5 Challenge
EAP-Success
EAP-Response/MD5 Challenge
RADIUS Access-R
(EAP-Response/I
RADIUS Access-Ch
(EAP-Request/MD5 C
equest
dentity)
allenge
hallenge)
RADIUS Access-A
(EAP-Success
RADIUS Access-R
(EAP-Response/MD5 C
ccept
)
equest
hallenge)
Por t
authorized
Handshake timer
times out
Handshake request
[EAP-Request/Identity]
Handshake response
[EAP-Response/Identity]
EAPOL-Logoff
......
Por t
unauthorized
Figure 1-8 802.1x authentication procedure (in EAP relay mode)
The detailed procedure is as follows.
z To access the Internet, a supplicant system launches an 802.1x client, inputs the
applied and registered username and password, and initiates a connection
request (an EAPoL-Start packet). The 802.1x client program then forwards the
packet to the switch to start an authentication process.
z Upon receiving the authentication request packet, the switch sends a request
frame (an EAP-Request/Identity packet) to ask the 802.1x client for the inputted
user name.
z The 802.1x client responds by sending the user name in a frame (an
EAP-Response/Identity packet) to the switch. The switch then encapsulates the
frame in an RADIUS Access-Request packet and forwards it to the RADIUS
server for processing.
z Upon receiving the user name from the switch, the RADIUS server maps it to its
database to retrieve the corresponding password. Then it uses a randomly
generated key to encrypt the password while sending the key to the switch in an
RADIUS Access-Challenge packet. The switch then sends the key to the 802.1x
client.
z Upon receiving the key (an EAP-Request/MD5 Challenge packet) from the switch,
the 802.1x client program encrypts the password of the supplicant system with the