77
3.
When the client receives the EAP-Request/Identity packet, it encapsulates the username in an EAP-
Response/Identity packet and sends the packet to the device.
4.
Upon receiving the EAP-Response/Identity packet, the device relays the packet in a RADIUS Access-
Request packet to the authentication server.
5.
When it receives the RADIUS Access-Request packet, the RADIUS server compares the identify
information against its user information database to obtain the corresponding password
information. Then, it encrypts the password information by using a randomly generated challenge
(EAP-Request/MD5 challenge) and sends the challenge information through a RADIUS Access-
Challenge packet to the device.
6.
After receiving the RADIUS Access-Challenge packet, the device relays the contained EAP-
Request/MD5 Challenge packet to the client.
7.
When it receives the EAP-Request/MD5 Challenge packet, the client uses the offered challenge to
encrypt the password part (this process is not reversible), creates an EAP-Response/MD5 Challenge
packet, and then sends the packet to the device.
8.
After receiving the EAP-Response/MD5 Challenge packet, the device relays the packet in a
RADIUS Access-Request packet to the authentication server.
9.
When it receives the RADIUS Access-Request packet, the RADIUS server compares the password
information encapsulated in the packet with that generated by itself. If the two are identical, the
authentication server considers the user valid and sends a RADIUS Access-Accept packet to the
device.
10.
Upon receiving the RADIUS Access-Accept packet, the device opens the port to grant the access
request of the client.
11.
After the client gets online, the device periodically sends handshake requests to the client to check
whether the client is still online. By default, if two consecutive handshake attempts fail, the device
concludes that the client has logged off, and it performs the necessary operations, guaranteeing
that the device always knows when a client logs off.
12.
After receiving the handshake requests, the client returns responses to the device to indicate that the
user is still online.
13.
The client can also send an EAPOL-Logoff packet to the device to log off. Then the device changes
the status of the port from authorized to unauthorized and sends an EAP-Failure packet to the client.
NOTE:
In EAP relay mode, a client must use the same authentication method as that of the RADIUS server. On
the device, however, you only have to execute
dot1x
authentication-method eap
to enable EAP relay.