3Com WX3000 Series Operation Manual page 227

EAP-TTLS is a kind of extended EAP-TLS. EAP-TLS implements bidirectional authentication
between the client and authentication server. EAP-TTLS transmit message using a tunnel
established using TLS.
PEAP creates and uses TLS security channels to ensure data integrity and then performs new EAP
negotiations to verify supplicant systems.
Figure 1-8 describes the basic EAP-MD5 authentication procedure.
Figure 1-8 802.1x authentication procedure (in EAP relay mode)
EAPOL
Supplicant System
PAE
EAPOL-Start
EAP-Request / Identity
EAP-Response / Identity
EAP-Request / MD5 challenge
EAP-Response / MD5 challenge
EAP-Success
Handshake request
[ EAP-Request / Identity ]
Handshake response
[ EAP-Response / Identity ]
EAPOL-Logoff
The detailed procedure is as follows:
A supplicant launches an iNode client, and then provides the valid user name and password on the
iNode client to initiate a connection request. In this case, the iNode client program sends the
connection request (the EAPoL-start packet) to the device to start the authentication process.
Upon receiving the authentication request packet, the device sends an EAP-request/identity
packet to ask the iNode client for the user name.
The iNode client responds by sending an EAP-response/identity packet to the device with the user
name contained in it. The device then encapsulates the packet in a RADIUS Access-Request
packet and forwards it to the RADIUS server.
Upon receiving the packet from the device, the RADIUS server retrieves the user name from the
packet, finds the corresponding password by matching the user name in its database, encrypts the
Authenticator System
PAE
(EAP-Request / MD5 challenge)
(EAP-Response / MD5 challenge)
Port authorized
......
Port unauthorized
1-6
EAPOR
RADIUS Access-Request
(EAP-Response / Identity)
RADIUS Access-Challenge
RADIUS Access-Request
RADIUS Access-Accept
(EAP-Success)
Handshake timer
RADUIS
server