The Authentication Methods Of 802.1X - Planet Networking & Communication WGSW-50040 Configuration Manual

client and the authentication proxy switch, that is to say, EAP message is encapsulated in the Ethernet frame
to authenticate and communicate, however, EAPOR encapsulation is used between authentication proxy
switch and authentication server, that is to say, EAP message is loaded on the Radius protocol to
authenticate and communicate. it can be also forward by the device, transmit the PAP protocol message or
CHAP protocol message based on the RADIUS protocol between the device and the RADIUS sever.
In 802.1x authentication system, in order to implement the identity authentication and the network permission,
user should install the authentication client software, pass client login authentication progress and then
achieve authenticated communication with DCBI server. But some customers do not want to install client
software, and they hope to authenticate by the internet explorer simplified. So in order to satisfy the new
demand from the user and realize the platforms irrelevance of the authentication client, the Web
authentication function based on 802.1x is designed for authentication.
The Web authentication is still based on IEEE 802.1x authentication system, the Java Applet in internet
explorer is instead of the prior client software, the devises is layer 3 switch, authentication server is the
standardized RADIUS server, and the authentication message is loaded in the EAP message to communicate.
The Ethernet frame can't be send because of the Java Applet used in client, so EAP message can't be
encapsulated in the Ethernet frame to send, EAP message should be loaded on the UDP protocol instead of
EAPOU, in order to achieve the authentication and communication between web client and web
authentication proxy switch. The standardized EAPOR protocol is still used between the authentication proxy
switch and authentication server.

25.1.6 The Authentication Methods of 802.1x

The authentication can either be started by supplicant system initiatively or by devices. When the device
detects unauthenticated users to access the network, it will send supplicant system EAP-Request/Identity
messages to start authentication. On the other hand, the supplicant system can send EAPOL-Start message
to the device via supplicant software.
802.1 x systems supports EAP relay method and EAP termination method to implement authentication with
the remote RADIUS server. The following is the description of the process of these two authentication
methods, both started by the supplicant system.
25.1.6.1 EAP Relay Mode
EAP relay is specified in IEEE 802.1x standard to carry EAP in other high-level protocols, such as EAP over
RADIUS, making sure that extended authentication protocol messages can reach the authentication server
through complicated networks. In general, EAP relay requires the RADIUS server to support EAP attributes:
EAP-Message and Message-Authenticator.
EAP is a widely-used authentication frame to transmit the actual authentication protocol rather than a special
authentication mechanism. EAP provides some common function and allows the authentication mechanisms
expected in the negotiation, which are called EAP Method. The advantage of EAP lies in that EAP mechanism
working as a base needs no adjustment when a new authentication protocol appears. The following figure
25-6