Table of Contents
Advertisement
Unsolicited triggering of a client
A client initiates authentication by sending an EAPOL-Start frame to the device. The destination
address of the frame is 01-80-C2-00-00-03, the multicast address specified by the IEEE 802.1X
protocol.
Some devices in the network may not support multicast packets with the above destination address,
causing the authentication device unable to receive the authentication request of the client. To solve the
problem, the device also supports EAPOL-Start frames whose destination address is a broadcast MAC
address. In this case, the H3C iNode 802.1X client is required.
Unsolicited triggering of the device
The device can trigger authentication by sending EAP-Request/Identity packets to unauthenticated
clients periodically (every 30 seconds by default). This method can be used to authenticate clients
which cannot send EAPOL-Start frames and therefore cannot trigger authentication, for example, the
802.1X client provided by Windows XP.
Authentication Process of 802.1X
An 802.1X device communicates with a remotely located RADIUS server in two modes: EAP relay and
EAP termination. The following description takes the EAP relay as an example to show the 802.1X
authentication process.
EAP relay
EAP relay is an IEEE 802.1X standard mode. In this mode, EAP packets are carried in an upper layer
protocol, such as RADIUS, so that they can go through complex networks and reach the authentication
server. Generally, EAP relay requires that the RADIUS server support the EAP attributes of
EAP-Message and Message-Authenticator, which are used to encapsulate EAP packets and protect
RADIUS packets carrying the EAP-Message attribute respectively.
Figure 1-8
shows the message exchange procedure with EAP-MD5.
1-6
Advertisement
Chapters
Table of Contents
Troubleshooting
