3com WX3000 User Manual

 

1-6 

z 

EAP-TTLS is a kind of extended EAP-TLS. EAP-TLS implements bidirectional authentication 

between the client and authentication server. EAP-TTLS transmit message using a tunnel 

established using TLS. 

z 

PEAP creates and uses TLS security channels to ensure data integrity and then performs new EAP 

negotiations to verify supplicant systems. 

 describes the basic EAP-MD5 authentication procedure. 

Figure 1-8 802.1x authentication procedure (in EAP relay mode) 

Supplicant System

PAE

RADUIS 

server

EAPOL

EAPOR

EAPOL-Start

EAP-Request / Identity

EAP-Response / Identity

EAP-Request / MD5 challenge

EAP-Success

EAP-Response / MD5 challenge

RADIUS Access-Request

(EAP-Response / Identity)

RADIUS Access-Challenge

(EAP-Request / MD5 challenge)

RADIUS Access-Accept

(EAP-Success)

RADIUS Access-Request

(EAP-Response / MD5 challenge)

Port authorized

Handshake timer

Handshake request

[ EAP-Request / Identity ]

Handshake response

[ EAP-Response / Identity ]

EAPOL-Logoff

......

Port unauthorized

Authenticator System

PAE

 

 

The detailed procedure is as follows: 

z 

A supplicant launches an iNode client, and then provides the valid user name and password on the 

iNode client to initiate a connection request. In this case, the iNode client program sends the 

connection request (the EAPoL-start packet) to the device to start the authentication process. 

z 

Upon receiving the authentication request packet, the device sends an EAP-request/identity 

packet to ask the iNode client for the user name. 

z 

The iNode client responds by sending an EAP-response/identity packet to the device with the user 

name contained in it. The device then encapsulates the packet in a RADIUS Access-Request 

packet and forwards it to the RADIUS server.  

z 

Upon receiving the packet from the device, the RADIUS server retrieves the user name from the 

packet, finds the corresponding password by matching the user name in its database, encrypts the