Authentication Process - 3Com 4500G Family Configuration Manual

Authentication Process of 802.1X
An 802.1X device communicates with a remotely located RADIUS server in two modes: EAP relay and
EAP termination. The following description takes the EAP relay as an example to show the 802.1X

authentication process.

EAP relay
EAP relay is an IEEE 802.1X standard mode. In this mode, EAP packets are carried in an upper layer
protocol, such as RADIUS, so that they can go through complex networks and reach the authentication
server. Generally, EAP relay requires that the RADIUS server support the EAP attributes of
EAP-Message and Message-Authenticator, which are used to encapsulate EAP packets and protect
RADIUS packets carrying the EAP-Message attribute respectively.
Figure 1-7 shows the message exchange procedure with EAP-MD5.
Figure 1-7 Message exchange in EAP relay mode
Client
EAPOL
EAPOL-Start
EAP-Request / Identity
EAP-Response / Identity
EAP-Request / MD5 challenge
EAP-Response / MD5 challenge
EAP-Success
Handshake request
[ EAP-Request / Identity ]
Handshake response
[ EAP-Response / Identity ]
EAPOL-Logoff
1) When a user launches the 802.1X client software and enters the registered username and
password, the 802.1X client software generates an EAPOL-Start frame and sends it to the device
to initiate an authentication process.
2) Upon receiving the EAPOL-Start frame, the device responds with an EAP-Request/Identity packet
for the username of the client.
3) When the client receives the EAP-Request/Identity packet, it encapsulates the username in an
EAP-Response/Identity packet and sends the packet to the device.
Device
Port authorized
......
Port unauthorized
EAPOR
RADIUS Access-Request
(EAP-Response / Identity)
RADIUS Access-Challenge
(EAP-Request / MD5 challenge)
RADIUS Access-Request
(EAP-Response / MD5 challenge)
RADIUS Access-Accept
(EAP-Success)
Handshake timer
1-6
Server