A comparison of EAP relay and EAP termination
Packet exchange method
EAP relay
EAP termination
EAP relay
Figure 42
shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5
is used.
Figure 42 802.1X authentication procedure in EAP relay mode
Client
(2) EAP-Request/Identity
(3) EAP-Response/Identity
(6) EAP-Request/MD5 challenge
(7) EAP-Response/MD5 challenge
(11) EAP-Request/Identity
(12) EAP-Response/Identity
Benefits
•
Supports various EAP
authentication methods.
•
The configuration and processing is
simple on the network access
device
Works with any RADIUS server that
supports PAP or CHAP authentication.
Device
EAPOL
(1) EAPOL-Start
(10) EAP-Success
Port authorized
...
(13) EAPOL-Logoff
Port unauthorized
(14) EAP-Failure
EAPOR
(4) RADIUS Access-Request
(EAP-Response/Identity)
(5) RADIUS Access-Challenge
(EAP-Request/MD5 challenge)
(8) RADIUS Access-Request
(EAP-Response/MD5 challenge)
(9) RADIUS Access-Accept
(EAP-Success)
82
Limitations
The RADIUS server must support the
EAP-Message and
Message-Authenticator attributes,
and the EAP authentication method
used by the client.
•
Supports only MD5-Challenge
EAP authentication and the
"username + password" EAP
authentication initiated by an
iNode 802.1X client.
•
The processing is complex on the
network access device.
Authentication server