H3C S7500E Series Ethernet Switches Operation Manual
Operation Manual – 802.1x - MAC Authentication
H3C S7500E Series Ethernet Switches Chapter 1 802.1x Configuration
1-6
bytes. If the EAP packet is longer than 253 bytes, it can be fragmented and
encapsulated into multiple EAP-Message attributes.
015
Type String
7
Length
N
EAP packets
Figure 1-6 Encapsulation format of the EAP-Message attribute
II. Message-Authenticator
Figure 1-7 shows the encapsulation format of the Message-Authenticator attribute. The
Message-Authenticator attribute is used to prevent access requests from being
snooped during EAP or CHAP authentication. It must be included in any packet with the
EAP-Message attribute; otherwise, the packet will be considered invalid and get
discarded.
Figure 1-7 Encapsulation format of the Message-Authenticator attribute
1.1.5 Authentication Process of 802.1x
802.1x authentication can be initiated by either a supplicant or the authenticator system.
A supplicant can initiate authentication by launching the 802.1x client software to send
an EAPOL-Start frame to the authenticator system, while an authenticator system can
initiate authentication by unsolicitedly sending an EAP-Request/Identity packet to an
unauthenticated supplicant.
An 802.1x authenticator system communicates with a remotely located RADIUS server
in two modes: EAP relay and EAP termination. The following description takes the first
case as an example to show the 802.1x authentication process.
I. EAP relay
EAP relay is an IEEE 802.1x standard mode. In this mode, EAP packets are carried in
an upper layer protocol, such as RADIUS, so that they can go through complex
networks and reach the authentication server. Generally, EAP relay requires that the
RADIUS server support the EAP attributes of EAP-Message and
Message-Authenticator.
At present, the EAP relay mode supports four authentication methods: EAP-MD5,
EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled Transport Layer Security),
and PEAP (Protected Extensible Authentication Protocol).