69
9.
The authentication server compares the received encrypted password with the encrypted
password it generated at step 5. If the two passwords are identical, the server considers the client
valid and sends a RADIUS Access-Accept packet to the access device.
10.
Upon receiving the RADIUS Access-Accept packet, the access device performs the following
operations:
a.
Sends an EAP-Success packet to the client.
b.
Sets the controlled port in authorized state.
The client can access the network.
11.
After the client comes online, the access device periodically sends handshake requests to check
whether the client is still online. By default, if two consecutive handshake attempts fail, the device
logs off the client.
12.
Upon receiving a handshake request, the client returns a response. If the client fails to return a
response after a number of consecutive handshake attempts (two by default), the access device
logs off the client. This handshake mechanism enables timely release of the network resources used
by 802.1X users who have abnormally gone offline.
13.
The client can also send an EAPOL-Logoff packet to ask the access device for a logoff.
14.
In response to the EAPOL-Logoff packet, the access device changes the status of the controlled port
from authorized to unauthorized. Then, the access device sends an EAP-Failure packet to the
client.
EAP termination
shows the basic 802.1X authentication procedure in EAP termination mode, assuming that
CHAP authentication is used.