Table of Contents
Advertisement
Figure 271 802.1X authentication procedure in EAP relay mode
When a user launches the 802.1X client software and enters a registered username and
1.
password, the 802.1X client software sends an EAPOL-Start packet to the network access
device.
The network access device responds with an Identity EAP-Request packet to ask for the client
2.
username.
In response to the Identity EAP-Request packet, the client sends the username in an Identity
3.
EAP-Response packet to the network access device.
The network access device relays the Identity EAP-Response packet in a RADIUS
4.
Access-Request packet to the authentication server.
The authentication server uses the identity information in the RADIUS Access-Request to
5.
search its user database. If a matching entry is found, the server uses a randomly generated
challenge (EAP-Request/MD5 challenge) to encrypt the password in the entry, and sends the
challenge in a RADIUS Access-Challenge packet to the network access device.
The network access device relays the EAP-Request/MD5 Challenge packet in a RADIUS
6.
Access-Request packet to the client.
The client uses the received challenge to encrypt the password, and sends the encrypted
7.
password in an EAP-Response/MD5 Challenge packet to the network access device.
The network access device relays the EAP-Response/MD5 Challenge packet in a RADIUS
8.
Access-Request packet to the authentication server.
The authentication server compares the received encrypted password with the one it generated
9.
at step 5. If the two are identical, the authentication server considers the client valid and sends
a RADIUS Access-Accept packet to the network access device.
257
Hide quick links:
Advertisement
Table of Contents
