3Com 4500G Family Configuration Manual page 608

4) Upon receiving the EAP-Response/Identity packet, the device relays the packet in a RADIUS
Access-Request packet to the authentication server.
5) When receiving the RADIUS Access-Request packet, the RADIUS server compares the identify
information against its user information table to obtain the corresponding password information.
Then, it encrypts the password information using a randomly generated challenge, and sends the
challenge information through a RADIUS Access-Challenge packet to the device.
6) After receiving the RADIUS Access-Challenge packet, the device relays the contained
EAP-Request/MD5 Challenge packet to the client.
7) When receiving the EAP-Request/MD5 Challenge packet, the client uses the offered challenge to
encrypt the password part (this process is not reversible), creates an EAP-Response/MD5
Challenge packet, and then sends the packet to the device.
8) After receiving the EAP-Response/MD5 Challenge packet, the device relays the packet in a
RADIUS Access-Request packet to the authentication server.
9) When receiving the RADIUS Access-Request packet, the RADIUS server compares the password
information encapsulated in the packet with that generated by itself. If the two are identical, the
authentication server considers the user valid and sends to the device a RADIUS Access-Accept
packet.
10) Upon receiving the RADIUS Access-Accept packet, the device opens the port to grant the access
request of the client. After the client gets online, the device periodically sends handshake requests
to the client to check whether the client is still online. By default, if two consecutive handshake
attempts end up with failure, the device concludes that the client has gone offline and performs the
necessary operations, guaranteeing that the device always knows when a client goes offline.
11) The client can also send an EAPOL-Logoff frame to the device to go offline unsolicitedly. In this
case, the device changes the status of the port from authorized to unauthorized and sends an
EAP-Failure frame to the client.
In EAP relay mode, a client must use the same authentication method as that of the RADIUS server. On
the device, however, you only need to execute the dot1x authentication-method eap command to
enable EAP relay.
EAP termination
In EAP termination mode, EAP packets are terminated at the device and then repackaged into the PAP
or CHAP attributes of RADIUS and transferred to the RADIUS server for authentication, authorization,
and accounting. Figure 1-8 shows the message exchange procedure with CHAP authentication.
1-7