Table of Contents
Advertisement
Figure 2-9 Message exchange in EAP termination mode
Client
EAPOL
EAPOL-Start
EAP-Request / Identity
EAP-Response / Identity
EAP-Request / MD5 challenge
EAP-Response / MD5 challenge
EAP-Success
Handshake request
[ EAP-Request / Identity ]
Handshake response
[ EAP-Response / Identity ]
EAPOL-Logoff
Different from the authentication process in EAP relay mode, it is the device that generates the random
challenge for encrypting the user password information in EAP termination authentication process.
Consequently, the device sends the challenge together with the username and encrypted password
information from the client to the RADIUS server for authentication.
802.1X Timers
This section describes the timers used on an 802.1X device to guarantee that the client, the device,
and the RADIUS server can interact with each other in a reasonable manner.
Username request timeout timer (tx-period): The device starts this timer when it sends an
EAP-Request/Identity frame to a client. If it receives no response before this timer expires, the
device retransmits the request. When cooperating with a client that sends EAPOL-Start requests
only when requested, the device multicasts EAP-Request/Identity frames to the client at an
interval set by this timer.
Client timeout timer (supp-timeout): Once a device sends an EAP-Request/MD5 Challenge frame
to a client, it starts this timer. If this timer expires but it receives no response from the client, it
retransmits the request.
Server timeout timer (server-timeout): Once a device sends a RADIUS Access-Request packet to
the authentication server, it starts this timer. If this timer expires but it receives no response from
the server, it retransmits the request.
Device
(CHAP-Response / MD5 challenge)
Port authorized
Handshake timer
......
Port unauthorized
EAPOR
RADIUS Access-Request
RADIUS Access-Accept
(CHAP-Success)
2-9
Server
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
