Figure 32 EAP-Message attribute format
Message-Authenticator
As shown in
have an EAP-Message attribute to check their integrity. The packet receiver drops the packet if the
calculated packet integrity checksum is different from the Message-Authenticator attribute value.
The Message-Authenticator prevents EAP authentication packets from being tampered with during
EAP authentication.
Figure 33 Message-Authenticator attribute format
802.1X authentication initiation
Both the 802.1X client and the access device can initiate 802.1X authentication.
802.1X client as the initiator
The client sends an EAPOL-Start packet to the access device to initiate 802.1X authentication. The
destination MAC address of the packet is the IEEE 802.1X specified multicast address
01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client
and the authentication server does not support the multicast address, you must use an 802.1X client
that can send broadcast EAPOL-Start packets.
The broadcast trigger mode is supported only on the following ports:
•
Layer 2 Ethernet ports on the following modules:
HMIM-8GSW.
HMIM-24GSW.
HMIM-24GSWP.
SIC-4GSW.
SIC-4GSWP.
•
Fixed Layer 2 Ethernet ports on the following routers:
MSR954(JH296A/JH297A/JH299A).
MSR1002-4/1003-8S.
MSR2004-24/2004-48.
Access device as the initiator
The access device initiates authentication, if a client cannot send EAPOL-Start packets. One
example is the 802.1X client available with Windows XP.
The access device supports the following modes:
Figure
33, RADIUS includes the Message-Authenticator attribute in all packets that
82