Figure 1-8 Message exchange in EAP termination mode
EAP-Request / Identity
EAP-Response / Identity
EAP-Request / MD5 challenge
EAP-Response / MD5 challenge
[ EAP-Request / Identity ]
[ EAP-Response / Identity ]
Different from the authentication process in EAP relay mode, it is the device that generates the random
challenge for encrypting the user password information in EAP termination authentication process.
Consequently, the device sends the challenge together with the username and encrypted password
information from the client to the RADIUS server for authentication.
This section describes the timers used on an 802.1X device to guarantee that the client, the device, and
the RADIUS server can interact with each other in a reasonable manner.
Username request timeout timer (tx-period): The device starts this timer when it sends an
EAP-Request/Identity frame to a client. If it receives no response before this timer expires, the
device retransmits the request. When cooperating with a client that sends EAPOL-Start requests
only when requested, the device multicasts EAP-Request/Identity frames to the client at an interval
set by this timer.
Client timeout timer (supp-timeout): Once a device sends an EAP-Request/MD5 Challenge frame
to a client, it starts this timer. If this timer expires but it receives no response from the client, it
retransmits the request.
Server timeout timer (server-timeout): Once a device sends a RADIUS Access-Request packet to
the authentication server, it starts this timer. If this timer expires but it receives no response from
the server, it retransmits the request.
(CHAP-Response / MD5 challenge)