3Com 4210 PWR Configuration Manual page 220

218 C 17: 802.1
HAPTER X
n
C
ONFIGURATION
Upon receiving the key (encapsulated in an EAP-request/MD5 challenge
■
packet) from the switch, the client program encrypts the password of the
supplicant system with the key and sends the encrypted password (contained
in an EAP-response/MD5 challenge packet) to the RADIUS server through the
switch. (Normally, the encryption is irreversible.)
The RADIUS server compares the received encrypted password (contained in a
■
RADIUS access-request packet) with the locally-encrypted password. If the two
match, it will then send feedbacks (through a RADIUS access-accept packet
and an EAP-success packet) to the switch to indicate that the supplicant system
is authenticated.
The switch changes the state of the corresponding port to accepted state to
■
allow the supplicant system to access the network.
The supplicant system can also terminate the authenticated state by sending
■
EAPoL-Logoff packets to the switch. The switch then changes the port state
from accepted to rejected.
In EAP relay mode, packets are not modified during transmission. Therefore if one
of the four ways are used (that is, PEAP, EAP-TLS, EAP-TTLS or EAP-MD5) to
authenticate, ensure that the authenticating ways used on the supplicant system
and the RADIUS server are the same. However for the switch, you can simply
enable the EAP relay mode by using the dot1x authentication-method eap
command.
EAP terminating mode
In this mode, EAP packet transmission is terminated at authenticator systems and
the EAP packets are converted to RADIUS packets. Authentication and accounting
are carried out through RADIUS protocol.
In this mode, PAP or CHAP is employed between the switch and the RADIUS
server. Figure 73 illustrates the authentication procedure (assuming that CHAP is
employed between the switch and the RADIUS server).