H3C S7500E Series Ethernet Switches Operation Manual

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

801

802

803

804

805

806

807

808

809

810

Operation Manual – 802.1x - MAC Authentication

H3C S7500E Series Ethernet Switches Chapter 1 802.1x Configuration

1-10

Different from the authentication process in EAP relay mode, it is the authenticator that

generates the random challenge for encrypting the user password information in EAP

termination authentication process. Consequently, the authenticator sends the

challenge together with the username and encrypted password information from the

supplicant to the RADIUS server for authentication.

1.1.6 802.1x Timers

Several timers are used in the 802.1x authentication process to guarantee that the

supplicants, the authenticators, and the RADIUS server interact with each other in a

reasonable manner. The following are the major 802.1x timers:

z Username request timeout timer (tx-period): This timer is used in two cases, one is

when an authenticator retransmits an EAP-Request/Identity frame and the other is

when an authenticator multicasts an EAP-Request/Identity frame. Once an

authenticator sends an EAP-Request/Identity frame to a supplicant, it starts this

timer. If this timer expires but it receives no response from the supplicant, it

retransmits the request. To cooperate with a supplicant system that does not send

EAPOL-Start requests unsolicitedly, the authenticator multicasts

EAP-Request/Identity frames to the supplicant system at an interval defined by

this timer.

z Supplicant timeout timer (supp-timeout): Once an authenticator sends an

EAP-Request/MD5 Challenge frame to a supplicant, it starts this timer. If this timer

expires but it receives no response from the supplicant, it retransmits the request.

z Server timeout timer (server-timeout): Once an authenticator sends a RADIUS

Access-Request packet to the authentication server, it starts this timer. If this timer

expires but it receives no response from the server, it retransmits the request.

z Handshake timer (handshake-period): After a supplicant passes authentication,

the authenticator sends to the supplicant handshake requests at this interval to

check whether the supplicant is online. If the authenticator receives no response

after sending the allowed maximum number of handshake requests, it considers

that the supplicant is offline.

z Quiet timer (quiet-period): When a supplicant fails the authentication, the

authenticator refuses further authentication requests from the supplicant in this

period of time.

1.1.7 Implementation of 802.1x in the Devices

The devices extend and optimize the mechanism that the 802.1x protocol specifies by:

z Allowing multiple users to access network services through the same physical

port.

z Supporting two authentication methods: portbased and macbased. With the

portbased method, after the first user of a port passes authentication, all other

users of the port can access the network without authentication, and when the first