H3C S3100 8C SI Operation Manual page 354

Operation Manual – 802.1x-System Guard
H3C S3100 Series Ethernet Switches
PEAP creates and uses TLS security channels to ensure data integrity and then
performs new EAP negotiations to verify supplicant systems.
Figure 1-8
Supplicant System
PAE
Figure 1-8 802.1x authentication procedure (in EAP relay mode)
The detailed procedure is as follows:
A supplicant system launches an 802.1x client to initiate an access request by
sending an EAPoL-start packet to the switch, with its user name and password
provided. The 802.1x client program then forwards the packet to the switch to start
the authentication process.
Upon receiving the authentication request packet, the switch sends an
EAP-request/identity packet to ask the 802.1x client for the user name.
The 802.1x client responds by sending an EAP-response/identity packet to the
switch with the user name contained in it. The switch then encapsulates the packet
in a RADIUS Access-Request packet and forwards it to the RADIUS server.
describes the basic EAP-MD5 authentication procedure.
EAPOL
EAPOL-Start
EAP-Request / Identity
EAP-Response / Identity
EAP-Request / MD5 challenge
EAP-Response / MD5 challenge
EAP-Success
Handshake request
[ EAP-Request / Identity ]
Handshake response
[ EAP-Response / Identity ]
......
EAPOL-Logoff
Authenticator System
PAE
RADIUS Access-Request
(EAP-Response / Identity)
RADIUS Access-Challenge
(EAP-Request / MD5 challenge)
RADIUS Access-Request
(EAP-Response / MD5 challenge)
RADIUS Access-Accept
Port authorized
Handshake timer
Port unauthorized
1-7
Chapter 1 802.1x Configuration
EAPOR
RADUIS
server
(EAP-Success)