H3C S7500 Series Operation Manual page 505

Operation Manual – 802.1x
H3C S7500 Series Ethernet Switches
key and sends the encrypted password (encapsulated in an EAP-response/MD5
challenge packet) to the RADIUS server through the switch. (The encryption is
irreversible.)
The RADIUS server compares the received encrypted password (contained in an
RADIUS Access-Request packet) with the locally encrypted password. If the two
passwords match, it will send feedbacks (through RADIUS Access-Accept packet
and EAP-Success packet) to the switch, indicating that the supplicant system is
authorized.
The switch changes the state of the corresponding port to authorized state,
allowing the supplicant system to access the network.
The supplicant system can also terminate the authenticated state by sending an
EAPoL-Logoff packet to the switch. The switch then changes the port state from
authorized to unauthorized.
Note:
In EAP relay mode, packets are not modified during transmission. Therefore if one of
the three ways are used (that is, PEAP, EAP-TLS, or EAP-MD5) to authenticate,
ensure that the authentication ways used on the supplicant system and the RADIUS
server are the same. On the switch, however, you can simply enable the EAP relay
mode by using the dot1x authentication-method eap command.
II. EAP termination mode
In this mode, packet transmission is terminated at the authenticator system and EAP
packets are converted to RADIUS packets. Authentication and accounting are
accomplished through the RADIUS protocol.
In this mode, PAP or CHAP authentication is employed between the switch and the
RADIUS server. The following figure takes CHAP authentication as an example to
illustrate basic authentication procedure.
1-8
Chapter 1 802.1x Configuration