Operation Manual – 802.1x-HABP-MAC Authentication
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 802.1x Configuration
1-9
6)
After receiving the RADIUS Access-Challenge packet, the authenticator relays the
contained EAP-Request/MD5 Challenge packet to the supplicant.
7)
When receiving the EAP-Request/MD5 Challenge packet, the supplicant uses the
offered challenge to encrypt the password part (this process is not reversible),
creates an EAP-Response/MD5 Challenge packet, and then sends the packet to
the authenticator.
8) After receiving the EAP-Response/MD5 Challenge packet, the authenticator
relays the packet in a RADIUS Access-Request packet to the authentication
server.
9) When receiving the RADIUS Access-Request packet, the RADIUS server
compares the password information encapsulated in the packet with that
generated by itself. If the two are identical, the authentication server considers the
user valid and sends to the authenticator a RADIUS Access-Accept packet.
10) Upon receiving the RADIUS Access-Accept packet, the authenticator opens the
port to grant the access request of the supplicant. After the supplicant gets online,
the authenticator periodically sends handshake requests to the supplicant to
check whether the supplicant is still online. By default, if two consecutive
handshake attempts end up with failure, the authenticator concludes that the
supplicant has gone offline and performs the necessary operations, guaranteeing
that the authenticator always knows when a supplicant goes offline.
11) The supplicant can also send an EAPOL-Logoff frame to the authenticator to go
offline unsolicitedly. In this case, the authenticator changes the status of the port
from authorized to unauthorized.
Note:
In EAP relay mode, a supplicant must use the same authentication method as that of
the RADIUS server, no matter whichever of the above mentioned authentication
methods is used. On the device, however, you only need to execute the
dot1x
authentication-method eap
command to enable EAP relay.
II. EAP termination
In EAP termination mode, EAP packets are terminated at the authenticator and then
repackaged into the PAP or CHAP attributes of RADIUS and transferred to the RADIUS
server for authentication, authorization, and accounting.
shows the
message exchange procedure with CHAP authentication.