3Com 4500 PWR 26-Port Configuration Manual page 351

The detailed procedure is as follows:
A supplicant system launches an 802.1x client to initiate an access requ
EAPoL-start packet to the switch, with its user name and password provided. The 802.1x client
program then forwards the packet to the switch to start the authentication process.
Upon receiving the authentication request packet, the switch sends an EAP-request/identity packet
to ask the 802.1x client for the user name.
The 802.1x client responds by sending an EAP-response/identity packet to the switch with the user
name contained in it. The switch then encapsulates the packet in a RADIUS Access-Request
packet and forwards it to the RADIUS server.
Upon receiving the packet from the switch, the RAD
packet, finds the corresponding password by matching the user name in its database, encrypts the
password using a randomly-gen
access-challenge packet. The switch then sends the key to the 802.1x client.
Upon receiving the key (encapsulated in an EAP-request/MD5 challenge packet) from the
the client program encrypts the password of the supplicant system with the key and sends the
encrypted password (contained in an EAP-response/MD5 challenge packet) to the RADIUS server
through the switch. (Normally, the encryption is irreversible.)
The RADIUS server compares the received encrypted password (contained in a RADIUS
access-request packet) with the locally-encrypted password. If the two match, it will then send
feedbacks (through a RADIUS access-accept packet and an EAP-success packet) to the switch to
indicate that the supplicant system is authenticated.
The switch changes the state of the corresponding port to accepted state to allow the supplica
system to access the network.
The supplicant system can also terminate the authenticated state by sending EAPoL-Logoff
packets to the switch
In EAP relay mode, packets are not modified during transmission. Therefore if one of the four ways are
used (that is, PEAP, EAP-TLS, EAP-TTLS or EAP-MD5) to authenticate, ensure that the authenticating
ways used on the supplicant system and the RADIUS server are the same. However for the switch, you
can simply enable the EAP relay mode by using the dot1x authentication-method eap command.
EAP terminating mode
In this mode, EAP packet transmission is terminated at authenticator systems and the EAP packets are
converted to RADIUS packets. Authentication and accounting are carried out through RADIUS
protocol.
In this mode, PAP or CHAP is employed between the switch and the RADIUS server.
illustrates the authentication procedure (assuming that CHAP is employed between the switch and the
RADIUS server).
erated key, and sends the key to the switch through an RADIUS
. The switch then changes the port state from accepted to rejected.
28-7
IUS server retrieves the user name from the
est by sending an
switch,
nt
Figure 28-9