H3C S5100-SI Operation Manual page 251

The RADIUS server compares the received encrypted password (contained in a
RADIUS access-request packet) with the locally-encrypted password. If the two match,
it will then send feedbacks (through a RADIUS access-accept packet and an
EAP-success packet) to the switch to indicate that the supplicant system is
authenticated.
The switch changes the state of the corresponding port to accepted state to allow the
supplicant system to access the network.
The supplicant system can also terminate the authenticated state by sending
EAPoL-Logoff packets to the switch. The switch then changes the port state from
accepted to rejected.
In EAP relay mode, packets are not modified during transmission. Therefore if one of the
four ways are used (that is, PEAP, EAP-TLS, EAP-TTLS or EAP-MD5) to authenticate,
ensure that the authenticating ways used on the supplicant system and the RADIUS server
are the same. However for the switch, you can simply enable the EAP relay mode by using
the dot1x authentication-method eap command.
EAP terminating mode
In this mode, EAP packet transmission is terminated at authenticator systems and the EAP
packets are converted to RADIUS packets. Authentication and accounting are carried out
through RADIUS protocol.
In this mode, PAP or CHAP is employed between the switch and the RADIUS server.
Figure 1-9 illustrates the authentication procedure (assuming that CHAP is employed
between the switch and the RADIUS server).
1-8