Table of Contents
Advertisement
10. Upon receiving the RADIUS Access-Accept packet, the network access device sends an
EAP-Success packet to the client, and sets the controlled port in the authorized state so the
client can access the network.
11. After the client comes online, the network access device periodically sends handshake
requests to check whether the client is still online. By default, if two consecutive handshake
attempts fail, the device logs off the client.
12. Upon receiving a handshake request, the client returns a response. If the client fails to return a
response after a certain number of consecutive handshake attempts (two by default), the
network access device logs off the client. This handshake mechanism enables timely release of
the network resources used by 802.1X users that have abnormally gone offline.
13. The client can also send an EAPOL-Logoff packet to ask the network access device for a logoff.
14. In response to the EAPOL-Logoff packet, the network access device changes the status of the
controlled port from authorized to unauthorized and sends an EAP-Failure packet to the client.
EAP termination
Figure 272
that CHAP authentication is used.
Figure 272 802.1X authentication procedure in EAP termination mode
In EAP termination mode, the network access device rather than the authentication server generates
an MD5 challenge for password encryption (see Step 4). The network access device then sends the
MD5 challenge together with the username and encrypted password in a standard RADIUS packet
to the RADIUS server.
shows the basic 802.1X authentication procedure in EAP termination mode, assuming
258
Hide quick links:
Advertisement
Table of Contents
