3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module

911

912

913

914

915

916

917

918

919

920

924 CHAPTER 71: 802.1X CONFIGURATION

Figure 273 Message exchange in EAP termination mode

Different from the authentication process in EAP relay mode, it is the authenticator

that generates the random challenge for encrypting the user password

information in EAP termination authentication process. Consequently, the

authenticator sends the challenge together with the username and encrypted

password information from the supplicant to the authentication server for

authentication.

802.1x Timers Several timers are used in the 802.1x authentication process to guarantee that the

supplicants, the authenticators, and the RADIUS server interact with each other in

a reasonable manner. The following are the major 802.1x timers:

■ Username request timeout timer (tx-period): Once an authenticator sends an

EAP-Request/Identity frame to a supplicant, it starts this timer. If this timer

expires but it receives no response from the supplicant, it retransmits the

request. In addition, to be compatible with clients that do not send

EAPOL-Start requests unsolicitedly, the Switch 8800 multicasts

EAP-Request/Identity frame periodically to detect the clients, with the multicast

interval defined by tx-period.

Supplicant

system

PAE

Authenticator

system PAE

RADIUS server

EAPOL

RADIUS

EAPOL- Start

EAP- Request /Identity

EAP- Response /Identity

EAP- Request/ MD5 Challenge

EAP- Success

EA P- Response / MD 5 Challenge

RADIUS Access-Request

( CHAP- Response /MD5 Challenge)

RADIUS Access- Accept

( CHAP - Success )

Port

authorized

Handshake timer

Handshake request

[EAP- Request /Identity]

Handshake response

[EAP- Response /Identity]

EAPOL- Logoff

......

Port

unauthorized