H3C S7500E Series Operation Manual page 807

Operation Manual – 802.1x - MAC Authentication
H3C S7500E Series Ethernet Switches
Note:
In EAP relay mode, a supplicant must use the same authentication method as that of
the RADIUS server, no matter whichever of the above mentioned authentication
methods is used. On the device, however, you only need to execute the dot1x
authentication-method eap command to enable EAP relay.
II. EAP termination
In EAP termination mode, EAP packets are terminated at the authenticator and then
repackaged into the PAP or CHAP attributes of RADIUS and transferred to the RADIUS
server for authentication, authorization, and accounting.
message exchange procedure with CHAP authentication.
Supplicant system
PAE
Figure 1-9 Message exchange in EAP termination mode
EAPOL
Authenticator system
EAPOL - Start
EAP- Resquest / Identity
EAP- Response / Identity
EAP - Request / MD 5 challenge
EAP- Response / MD5 challenge
EAP- Success
Handshake request
[ EAP- Request / Identity ]
Handshake response
[ EAP- Response / Identity ]
......
EAPOL - Logoff
PAE
RADIUS Access - Request
(CHAP- Response / MD 5 challenge)
RADIUS Access- Accept
(CHAP- Success)
Port authorized
Handshake timer
Port unauthorized
1-9
Chapter 1 802.1x Configuration
Figure 1-9 shows the
RADIUS
RADUIS
server