H3C S7500E Series Ethernet Switches Operation Manual
Operation Manual – 802.1x - MAC Authentication
H3C S7500E Series Ethernet Switches Chapter 1 802.1x Configuration
1-8
1) When a user launches the 802.1x client software and enters the registered
username and password, the 802.1x client software generates an EAPOL-Start
frame and sends it to the authenticator to initiate an authentication process.
2) Upon receiving the EAPOL-Start frame, the authenticator responds with an
EAP-Request/Identity packet for the username of the supplicant.
3) When the supplicant receives the EAP-Request/Identity packet, it encapsulates
the username in an EAP-Response/Identity packet and sends the packet to the
authenticator.
4) Upon receiving the EAP-Response/Identity packet, the authenticator relays the
packet in a RADIUS Access-Request packet to the authentication server.
5) When receiving the RADIUS Access-Request packet, the RADIUS server
compares the identify information against its user information table to obtain the
corresponding password information. Then, it encrypts the password information
using a randomly generated challenge, and sends the challenge information
through a RADIUS Access-Challenge packet to the authenticator.
6) After receiving the RADIUS Access-Challenge packet, the authenticator relays the
contained EAP-Request/MD5 Challenge packet to the supplicant.
7) When receiving the EAP-Request/MD5 Challenge packet, the supplicant uses the
offered challenge to encrypt the password part (this process is not reversible),
creates an EAP-Response/MD5 Challenge packet, and then sends the packet to
the authenticator.
8) After receiving the EAP-Response/MD5 Challenge packet, the authenticator
relays the packet in a RADIUS Access-Request packet to the authentication
server.
9) When receiving the RADIUS Access-Request packet, the RADIUS server
compares the password information encapsulated in the packet with that
generated by itself. If the two are identical, the authentication server considers the
user valid and sends to the authenticator a RADIUS Access-Accept packet.
10) Upon receiving the RADIUS Access-Accept packet, the authenticator opens the
port to grant the access request of the supplicant. After the supplicant gets online,
the authenticator periodically sends handshake requests to the supplicant to
check whether the supplicant is still online. By default, if two consecutive
handshake attempts end up with failure, the authenticator concludes that the
supplicant has gone offline and performs the necessary operations, guaranteeing
that the authenticator always knows when a supplicant goes offline.
11) The supplicant can also send an EAPOL-Logoff frame to the authenticator to go
offline unsolicitedly. In this case, the authenticator changes the status of the port
from authorized to unauthorized and sends an EAP-Failure frame to the
supplicant.