H3C S7500 Series Ethernet Switches Operation Manual

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

501

502

503

504

505

506

507

508

509

510

Operation Manual – 802.1x

H3C S7500 Series Ethernet Switches

Chapter 1 802.1x Configuration

1-9

Supplicant

PA E

Sw itc h

RA DIUS server

EA POL

RADIUS

EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-R

(CHAP-Response/MD5 C

equest

hallenge)

RADIUS Access-A

(CHAP-Succes

ccept

Por t

authorized

Handshake timer

times out

Handshake request

[EAP-Request/Identity]

Handshake response

[EAP-Response/Identity]

EAPOL-Logoff

......

Por t

unauthorized

Supplicant

PA E

Sw itc h

RA DIUS server

EA POL

RADIUS

EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5 Challenge

EAP-Success

EAP-Response/MD5 Challenge

RADIUS Access-R

(CHAP-Response/MD5 C

equest

hallenge)

RADIUS Access-A

(CHAP-Succes

ccept

Por t

authorized

Handshake timer

times out

Handshake request

[EAP-Request/Identity]

Handshake response

[EAP-Response/Identity]

EAPOL-Logoff

......

Por t

unauthorized

Figure 1-9 802.1x authentication procedure (in EAP termination mode)

The authentication procedure in EAP termination mode is the same as that in the EAP

relay mode except that the randomly-generated key in the EAP termination mode is

generated by the switch, and that it is the switch that sends the user name, the

randomly-generated key, and the supplicant system-encrypted password to the

RADIUS server for further authentication.

1.1.5 802.1x Timer

In 802.1 x authentication, the following timers are used to ensure that the supplicant

system, the switch, and the RADIUS server interact orderly:

z Transmission timer (tx-period): This timer sets the transmission period and is

triggered by the switch in one of the following two cases: The first case is when a

supplicant system requests for authentication. The switch sends a unicast

request/identity packet to the supplicant system and then enables the

transmission timer. The switch will send another request/identity packet to the

supplicant system if it has not received any response from the supplicant system

when this timer times out. The second case is when the switch authenticates the

802.1x client who does not request for authentication actively. The switch sends