3Com Switch 8800 Advanced Software V5 Configuration Guide
802.1x Overview 921
Figure 269 Format of the Data field in an EAP request/response packet
Type: EAP authentication type. A value of 1 represents Identity, indicating that the
packet is for querying the identity of the supplicant. A value of 4 represents MD5
Challenge, which corresponds closely to the PPP CHAP protocol.
EAP Encapsulation over
RADIUS
Two attributes of RADIUS are intended for supporting EAP authentication:
EAP-Message and Message-Authenticator. For information about RADIUS packet
format, refer to
“Configuring RADIUS” on page 897.
EAP-Message
The EAP-Message attribute is used to encapsulate EAP packets. Figure 270 shows
its encapsulation format. The value of the Type field is 79. The String field can be
up to 253 bytes. If the EAP packet is longer than 253 bytes, it can be fragmented
and encapsulated into multiple EAP-Message attributes.
Figure 270 Encapsulation format of the EAP-Message attribute
Message-Authenticator
The Message-Authenticator attribute is used to prevent access requests from
being snooped during EAP authentication. It must be included in any packet with
the EAP-Message attribute; otherwise, the packet will be considered invalid and
get discarded.
Figure 271 shows the encapsulation format of the
Message-Authenticator attribute. The type field is 80 and the total length is 18
bytes.
Figure 271 Encapsulation format of the Message-Authenticator attribute
Authentication Process
of 802.1x
802.1x authentication can be initiated by either a user or the authenticator
system. A user initiates authentication by launching the 802.1x client software to
send an EAPOL-Start frame to the authenticator system, while the authenticator
system sends an EAP-Request/Identity packet to an unauthenticated user when
detecting that the user is trying to login. An 802.1x authenticator system
communicates with a remotely located RADIUS server in two modes: EAP relay
and EAP termination. The following description takes the first case as an example
to show the 802.1x authentication process.
0N
Type Type data
7
015
Type String
7
Length
N
EAP packets
02
Type String
1
Length
18 bytes