802.1X Timers - 3Com Baseline 2928 PWR Plus User Manual

Figure 1-9 802.1X authentication procedure in EAP termination mode
Client
EAPOL
EAPOL-Start
EAP-Request / Identity
EAP-Response / Identity
EAP-Request / MD5 challenge
EAP-Response / MD5 challenge
EAP-Success
Handshake request
( EAP-Request / Identity )
Handshake response
( EAP-Response / Identity )
EAPOL-Logoff
Different from the authentication process in EAP relay mode, it is the device that generates the random
challenge for encrypting the user password information in EAP termination authentication process.
Consequently, the device sends the challenge together with the username and encrypted password
information from the client to the RADIUS server for authentication.

802.1X Timers

This section describes the timers used on an 802.1X device to guarantee that the client, the device, and
the RADIUS server can interact with each other in a reasonable manner.
Username request timeout timer: This timer is triggered by the device in two cases. The first case is
when the client requests for authentication. The device starts this timer when it sends an
EAP-Request/Identity packet to a client. If it receives no response before this timer expires, the
device retransmits the request. The second case is when the device authenticates the 802.1X
client that cannot request for authentication actively. The device sends multicast
EAP-Request/Identity packets periodically through the port enabled with 802.1X function. In this
case, this timer sets the interval between sending the multicast EAP-Request/Identity packets.
Client timeout timer: Once a device sends an EAP-Request/MD5 Challenge packet to a client, it
starts this timer. If this timer expires but it receives no response from the client, it retransmits the
request.
Device
(CHAP-Response / MD5 challenge)
Port authorized
......
Port unauthorized
EAPOR
RADIUS Access-Request
RADIUS Access-Accept
(CHAP-Success)
Handshake timer
1-8
Server