Timers Used In 802.1X - H3C S5600 Series Operation Manual

Figure 1-9 802.1x authentication procedure (in EAP terminating mode)
Supplicant
system
PAE
EAP- Request /Identity
EAP- Response/Identity
EAP- Request/ MD5 Challenge
EAP- Response/MD5 Challenge
[EAP- Request/Identity]
Handshake response
[EAP- Response/Identity]
The authentication procedure in EAP terminating mode is the same as that in the EAP relay
mode except that the randomly-generated key in the EAP terminating mode is generated by
the switch, and that it is the switch that sends the user name, the randomly-generated key,
and the supplicant system-encrypted password to the RADIUS server for further
authentication.

Timers Used in 802.1x

In 802.1 x authentication, the following timers are used to ensure that the supplicant
system, the switch, and the RADIUS server interact in an orderly way.
Handshake timer (handshake-period). This timer sets the handshake period and is
triggered after a supplicant system passes the authentication. It sets the interval for a
switch to send handshake request packets to online users. You can set the maximum
number of transmission attempts by using the dot1x retry command. An online user
will be considered offline when the switch has not received any response packets after
the maximum number of handshake request transmission attempts is reached.
Quiet-period timer (quiet-period). This timer sets the quiet-period. When a supplicant
system fails to pass the authentication, the switch quiets for the set period (set by the
quiet-period timer) before it processes another authentication request re-initiated by
EAPOL
Authenticator
system PAE
EAPOL- Start
EAP- Success
Port
authorized
Handshake request
......
EAPOL- Logoff
Port
unauthorized
RADIUS
RADIUS Access-Request
( CHAP- Response/MD5 Challenge)
RADIUS Access - Accept
( CHAP-Success)
Handshake timer
1-9
RADIUS server