Timers Used In 802.1X - H3C S5100-SI Series Operation Manual

Operation Manual – 802.1x and System Guard
H3C S5100-SI/EI Series Ethernet Switches
Supplicant
system
PAE
Figure 1-9 802.1x authentication procedure (in EAP terminating mode)
The authentication procedure in EAP terminating mode is the same as that in the EAP
relay mode except that the randomly-generated key in the EAP terminating mode is
generated by the switch, and that it is the switch that sends the user name, the
randomly-generated key, and the supplicant system-encrypted password to the
RADIUS server for further authentication.

1.1.5 Timers Used in 802.1x

In 802.1 x authentication, the following timers are used to ensure that the supplicant
system, the switch, and the RADIUS server interact in an orderly way.
Handshake timer (handshake-period). This timer sets the handshake period and
is triggered after a supplicant system passes the authentication. It sets the interval
for a switch to send handshake request packets to online users. You can set the
maximum number of transmission attempts by using the dot1x retry command.
An online user will be considered offline when the switch has not received any
response packets after the maximum number of handshake request transmission
EAPOL
EAPOL- Start
EAP- Request /Identity
EAP- Response/Identity
EAP- Request/ MD5 Challenge
EAP- Response/MD5 Challenge
EAP- Success
Handshake request
[EAP- Request/Identity]
Handshake response
[EAP- Response/Identity]
......
EAPOL- Logoff
RADIUS
Authenticator
system PAE
RADIUS Access-Request
( CHAP- Response/MD5 Challenge)
RADIUS Access - Accept
( CHAP-Success)
Port
authorized
Handshake timer
Port
unauthorized
1-10
Chapter 1 802.1x Configuration
RADIUS server