Operation Manual – 802.1x-HABP-MAC Authentication
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 802.1x Configuration
1-7
An 802.1x authenticator system communicates with a remotely located RADIUS server
in two modes: EAP relay and EAP termination. The following description takes the first
case as an example to show the 802.1x authentication process.
I. EAP relay
EAP relay is an IEEE 802.1x standard mode. In this mode, EAP packets are carried in
an upper layer protocol, such as RADIUS, so that they can go through complex
networks and reach the authentication server. Generally, EAP relay requires that the
RADIUS server support the EAP attributes of EAP-Message and
Message-Authenticator.
At present, the EAP relay mode supports four authentication methods: EAP-MD5,
EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled Transport Layer Security),
and PEAP (Protected Extensible Authentication Protocol).
z
EAP-MD5: EAP-MD5 authenticates the identity of a supplicant. The RADIUS
server sends an MD5 challenge (through an EAP-Request/MD5 Challenge packet)
to the supplicant. Then the supplicant encrypts the password with the offered
challenge.
z
EAP-TLS: With EAP-TLS, a supplicant and the RADIUS server verify each other’s
security certificates and identities, guaranteeing that EAP packets are sent to the
intended destination and thus preventing network traffic from being snooped.
z
EAP-TTLS: EAP-TTLS extends EAP-TLS. EAP-TLS allows for mutual
authentication between a supplicant and the authentication server. EAP-TTLS
extends this implementation by transferring packets through the secure tunnels
set up by TLS.
z
PEAP: With PEAP, the RADIUS server sets up a TLS tunnel with a supplicant
system for integrity protection and then performs a new round of EAP negotiation
with the supplicant system for identity authentication.
shows the message exchange procedure with EAP-MD5.