H3C S7500 Series Operation Manual page 504

Operation Manual – 802.1x
H3C S7500 Series Ethernet Switches
Supplicant Supplicant Supplicant Supplicant
PAE PAE PAE PAE
EAP-Response/MD5 Challenge EAP-Response/MD5 Challenge EAP-Response/MD5 Challenge EAP-Response/MD5 Challenge
Figure 1-8 802.1x authentication procedure (in EAP relay mode)
The detailed procedure is as follows.
To access the Internet, a supplicant system launches an 802.1x client, inputs the
applied and registered username and password, and initiates a connection
request (an EAPoL-Start packet). The 802.1x client program then forwards the
packet to the switch to start an authentication process.
Upon receiving the authentication request packet, the switch sends a request
frame (an EAP-Request/Identity packet) to ask the 802.1x client for the inputted
user name.
The 802.1x client responds by sending the user name in a frame (an
EAP-Response/Identity packet) to the switch. The switch then encapsulates the
frame in an RADIUS Access-Request packet and forwards it to the RADIUS
server for processing.
Upon receiving the user name from the switch, the RADIUS server maps it to its
database to retrieve the corresponding password. Then it uses a randomly
generated key to encrypt the password while sending the key to the switch in an
RADIUS Access-Challenge packet. The switch then sends the key to the 802.1x
client.
Upon receiving the key (an EAP-Request/MD5 Challenge packet) from the switch,
the 802.1x client program encrypts the password of the supplicant system with the
EAPOL EAPOL EAPOL EAPOL
Authenticator Authenticator
EAPOL-Start EAPOL-Start EAPOL-Start EAPOL-Start
EAP-Request/Identity EAP-Request/Identity EAP-Request/Identity EAP-Request/Identity
EAP-Response/Identity EAP-Response/Identity EAP-Response/Identity EAP-Response/Identity
EAP-Request/MD5 Challenge EAP-Request/MD5 Challenge EAP-Request/MD5 Challenge EAP-Request/MD5 Challenge
EAP-Success EAP-Success EAP-Success EAP-Success
authorized authorized authorized authorized
Handshake request Handshake request Handshake request Handshake request
[EAP-Request/Identity] [EAP-Request/Identity] [EAP-Request/Identity] [EAP-Request/Identity]
Handshake response Handshake response Handshake response Handshake response
[EAP-Response/Identity] [EAP-Response/Identity] [EAP-Response/Identity] [EAP-Response/Identity]
...... ...... ...... ......
EAPOL-Logoff EAPOL-Logoff EAPOL-Logoff EAPOL-Logoff
unauthorized unauthorized unauthorized unauthorized
EAPOR EAPOR EAPOR EAPOR
Sw itch Sw itch
PAE PAE
RADIUS Access-R RADIUS Access-R RADIUS Access-R RADIUS Access-R
(EAP-Response/I (EAP-Response/I (EAP-Response/I (EAP-Response/I
RADIUS Access-Ch RADIUS Access-Ch RADIUS Access-Ch RADIUS Access-Ch
(EAP-Request/MD5 C (EAP-Request/MD5 C (EAP-Request/MD5 C (EAP-Request/MD5 C
RADIUS Access-R RADIUS Access-R RADIUS Access-R RADIUS Access-R
(EAP-Response/MD5 C (EAP-Response/MD5 C (EAP-Response/MD5 C (EAP-Response/MD5 C
RADIUS Access-A RADIUS Access-A RADIUS Access-A RADIUS Access-A
(EAP-Success (EAP-Success (EAP-Success (EAP-Success
Port Port Port Port
Handshake timer Handshake timer
Handshake timer Handshake timer
times out times out
Port Port Port Port
1-7
Chapter 1 802.1x Configuration
RADIUS server RADIUS server RADIUS server RADIUS server
equest equest equest equest
dentity ) dentity ) dentity ) dentity )
allenge allenge allenge allenge
hallenge) hallenge) hallenge) hallenge)
equest equest equest equest
hallenge) hallenge) hallenge) hallenge)
ccept ccept ccept ccept
) ) ) )