802.1X Authentication Triggering; Authentication Process Of 802.1X - H3C S9500E Series Security Configuration Manual

Routing switches

Hide thumbs Also See for S9500E Series:

Configuration manual (459 pages)

Command reference manual (225 pages)

Installation manual (154 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

Table of Contents

Message-Authenticator

Figure 20 shows the encapsulation format of the Message-Authenticator attribute. The Message-

Authenticator attribute is used to prevent access requests from being snooped during EAP

authentication. It must be included in any packet with the EAP-Message attribute; otherwise, the

packet will be considered invalid and get discarded.

Figure 20

Encapsulation format of the Message-Authenticator attribute

802.1X authentication triggering

802.1X authentication can be initiated by either a client or the switch.

Unsolicited triggering by a client

A client can initiate authentication by sending an EAPOL-Start packet to the switch. The destination

address of the packet is 01-80-C2-00-00-03, the multicast address specified by the IEEE 802.1X

protocol.

However, some devices along the path from the client to the authentication switch may not support

multicast packets with the above destination address, causing the authentication switch unable to

receive the authentication request of the client. To solve the problem, the switch also supports

EAPOL-Start packets using the broadcast MAC address as the destination address. Currently, the

iNode 802.1X client is required for the client to send EAPOL-Start packets.

Unsolicited triggering by the device

The switch can trigger authentication for clients that cannot send EAPOL-Start packets and

therefore cannot trigger authentication, for example, clients that run the 802.1X client software

provided by Windows XP. The switch supports multicast triggering mode, that is, the switch

multicasts EAP-Request/Identify packets to clients periodically (every 30 seconds by default).

Authentication process of 802.1X

An 802.1X switch communicates with a remotely located RADIUS server in two modes: EAP relay

and EAP termination. The following description takes the EAP relay as an example to show the

802.1X authentication process.

EAP relay

EAP relay is defined in IEEE 802.1X. In this mode, EAP packets are carried in an upper layer

protocol, such as RADIUS, so that they can go through complex networks and reach the

authentication server. Generally, relaying EAP requires that the RADIUS server support the EAP

attributes of EAP-Message and Message-Authenticator, which are used to encapsulate EAP packets

and protect RADIUS packets carrying the EAP-Message attribute respectively.

Figure 21 shows the EAP packet exchange procedure with EAP-MD5.

Table of Contents

802.1X Authentication Triggering; Authentication Process Of 802.1X - H3C S9500E Series Security Configuration Manual

802.1X authentication triggering

Authentication process of 802.1X

Troubleshooting

Related Manuals for H3C S9500E Series

Related Content for H3C S9500E Series

Table of Contents