1-8
Figure 1-8
Message exchange in EAP termination mode
EAPOL
EAPOR
EAPOL-Start
EAP-Request / Identity
EAP-Response / Identity
EAP-Request / MD5 challenge
EAP-Success
EAP-Response / MD5 challenge
Handshake request
[ EAP-Request / Identity ]
Handshake response
[ EAP-Response / Identity ]
EAPOL-Logoff
......
Client
Device
Server
Port authorized
Handshake timer
Port unauthorized
RADIUS Access-Request
(CHAP-Response / MD5 challenge)
RADIUS Access-Accept
(CHAP-Success)
Different from the authentication process in EAP relay mode, it is the device that generates the random
challenge for encrypting the user password information in EAP termination authentication process.
Consequently, the device sends the challenge together with the username and encrypted password
information from the client to the RADIUS server for authentication.
802.1X Timers
This section describes the timers used on an 802.1X device to guarantee that the client, the device, and
the RADIUS server can interact with each other in a reasonable manner.
z
Username request timeout timer (tx-period): The device starts this timer when it sends an
EAP-Request/Identity frame to a client. If it receives no response before this timer expires, the
device retransmits the request. When cooperating with a client that sends EAPOL-Start requests
only when requested, the device multicasts EAP-Request/Identity frames to the client at an interval
set by this timer.
z
Client timeout timer (supp-timeout): Once a device sends an EAP-Request/MD5 Challenge frame
to a client, it starts this timer. If this timer expires but it receives no response from the client, it
retransmits the request.
z
Server timeout timer (server-timeout): Once a device sends a RADIUS Access-Request packet to
the authentication server, it starts this timer. If this timer expires but it receives no response from
the server, it retransmits the request.