Table of Contents
Advertisement
Raisecom
ISCOM2600G-HI (A) Series Configuration Guide
802.1x authentication procedure
The 802.1x system supports finishing authentication procedure between the RADIUS server
through EAP relay and EAP termination.
The supplicant and the authentication server exchange information through the Extensible
Authentication Protocol (EAP) packet while the supplicant and the authenticator exchange
information through the EAP over LAN (EAPoL) packets. The EAP packet is encapsulated
with authentication data. This authentication data will be encapsulated into the RADIUS
protocol packet to be transmitted to the authentication server through a complex network. This
procedure is call EAP relay.
Both the authenticator and the suppliant can initiate the 802.1x authentication procedure. This
document takes the suppliant for example, as shown below:
Step 1 The user enters the user name and password. The supplicant sends an EAPoL-Start packet to
the authenticator to start the 802.1x authentication.
Step 2 The authenticator sends an EAP-Request/Identity to the suppliant, asking the user name of the
suppliant.
Step 3 The suppliant replies an EAP-Response/Identity packet to the authenticator, which includes
the user name.
Step 4 The authenticator encapsulates the EAP-Response/Identity packet to the RADIUS protocol
packet and sends the RADIUS protocol packet to the authentication server.
Step 5 The authentication server compares the received user name with the one in the database, finds
the password for the user, and encrypts the password with a randomly-generated encryption
word. Meanwhile it sends the encryption word to the authenticator who then sends the
encryption word to the suppliant.
Step 6 The suppliant encrypts the password with the received encryption password, and sends the
encrypted password to the authentication server.
Step 7 The authentication server compares with received encrypted password with the one generated
by itself. If identical, the authenticator modifies the interface state to authorized state,
allowing users to access the network through the interface and sends an EAP-Success packet
to the suppliant. Otherwise, the interface is in unauthorized state and sends an EAP-Failure
packet to the suppliant.
Terminate the EAP packet at the device and map it to the RADIUS packet. Use standard
RADIUS protocol to finish the authorization, authentication, and accounting procedure. The
device and RADIUS server adopt Password Authentication Protocol (PAP)/Challenge
Handshake Authentication Protocol (CHAP) to perform authentication.
In the EAP termination mode, the random encryption character, used for encrypting the
password, is generated by the device. And then the device sends the user name, random
encryption character, and encrypted password to the RADIUS server for authentication.
802.1x timers
During 802.1x authentication, the following 5 timers are involved:
EAP relay
EAP termination
Raisecom Proprietary and Confidential
Copyright © Raisecom Technology Co., Ltd.
10 Security
432
Advertisement
Table of Contents
