EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPOR packets to send
authentication information to the RADIUS server, as shown in
Figure 29 EAP relay
In EAP termination mode, the network access device terminates the EAP packets received from the client,
encapsulates the client authentication information in standard RADIUS packets, and uses PAP or CHAP
to authenticate to the RADIUS server, as shown in
Figure 30 EAP termination
A comparison of EAP relay and EAP termination
Packet exchange method
EAP relay
EAP termination
EAP relay
Figure 31
shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5
is used.
Figure
Benefits
•
Supports various EAP
authentication methods.
•
The configuration and processing
is simple on the network access
device.
Works with any RADIUS server that
supports PAP or CHAP authentication.
67
Figure
29.
30.
Limitations
The RADIUS server must support
the EAP-Message and Message-
Authenticator attributes and the
EAP authentication method used by
the client.
•
Supports only MD5-Challenge
EAP authentication and the
"username + password" EAP
authentication initiated by an
HP iNode 802.1X client.
•
The processing is complex on
the network access device.