3Com 4210 PWR Configuration Manual page 219

Figure 72 802.1x authentication procedure (in EAP relay mode)
EAPOL
Supplicant System
PAE
EAPOL-Start
EAP-Request / Identity
EAP-Response / Identity
EAP-Request / MD5 challenge
EAP-Response / MD5 challenge
EAP-Success
Handshake request
[ EAP-Request / Identity ]
Handshake response
[ EAP-Response / Identity ]
EAPOL-Logoff
The detailed procedure is as follows.
A supplicant system launches an 802.1x client to initiate an access request by
■
sending an EAPoL-start packet to the switch, with its user name and password
provided. The 802.1x client program then forwards the packet to the switch to
start the authentication process.
Upon receiving the authentication request packet, the switch sends an
■
EAP-request/identity packet to ask the 802.1x client for the user name.
The 802.1x client responds by sending an EAP-response/identity packet to the
■
switch with the user name contained in it. The switch then encapsulates the
packet in a RADIUS Access-Request packet and forwards it to the RADIUS
server.
Upon receiving the packet from the switch, the RADIUS server retrieves the
■
user name from the packet, finds the corresponding password by matching the
user name in its database, encrypts the password using a randomly-generated
key, and sends the key to the switch through an RADIUS access-challenge
packet. The switch then sends the key to the 802.1x client.
Authenticator System
PAE
(EAP-Response / MD5 challenge)
Port authorized
......
Port unauthorized
Introduction to 802.1x
EAPOR
RADIUS Access-Request
(EAP-Response / Identity)
RADIUS Access-Challenge
(EAP-Request / MD5 challenge)
RADIUS Access-Request
RADIUS Access-Accept
(EAP-Success )
Handshake timer
217
RADUIS
server