Operation Manual – 802.1x-HABP-MAC Authentication
H3C S5500-EI Series Ethernet Switches
Chapter 1 802.1x Configuration
1-6
z
Data: Content of the EAP packet. This field is zero or more bytes and its format is
determined by the Code field.
1.1.4 EAP Encapsulation over RADIUS
Two attributes of RADIUS are intended for supporting EAP authentication:
EAP-Message and Message-Authenticator. For information about RADIUS packet
format, refer to
AAA RADIUS HWTACACS Configuration
.
I. EAP-Message
The EAP-Message attribute is used to encapsulate EAP packets.
Figure 1-6
shows its
encapsulation format. The value of the Type field is 79. The String field can be up to 253
bytes. If the EAP packet is longer than 253 bytes, it can be fragmented and
encapsulated into multiple EAP-Message attributes.
Figure 1-6
Encapsulation format of the EAP-Message attribute
II. Message-Authenticator
Figure 1-7
shows the encapsulation format of the Message-Authenticator attribute. The
Message-Authenticator attribute is used to prevent access requests from being
snooped during EAP or CHAP authentication. It must be included in any packet with the
EAP-Message attribute; otherwise, the packet will be considered invalid and get
discarded.
Figure 1-7
Encapsulation format of the Message-Authenticator attribute
1.1.5 Authentication Process of 802.1x
802.1x authentication can be initiated by either a supplicant or the authenticator system.
A supplicant initiates authentication by launching the 802.1x client software to send an
EAPOL-Start frame to the authenticator system, while the authenticator system sends
an EAP-Request/Identity packet to an unauthenticated supplicant when detecting that
the supplicant is trying to login.