3com WX3000 User Manual

 

1-7 

password using a randomly-generated key, and sends the key to the device through an RADIUS 

access-challenge packet. The device then sends the key to the iNode client. 

z 

Upon receiving the key (encapsulated in an EAP-request/MD5 challenge packet) from the device, 

the client program encrypts the password of the supplicant system with the key and sends the 

encrypted password (contained in an EAP-response/MD5 challenge packet) to the RADIUS server 

through the device. (Normally, the encryption is irreversible.) 

z 

The RADIUS server compares the received encrypted password (contained in a RADIUS 

access-request packet) with the locally-encrypted password. If the two match, it will then send 

feedbacks (through a RADIUS access-accept packet and an EAP-success packet) to the device to 

indicate that the supplicant is authenticated. 

z 

The device changes the state of the corresponding port to accepted state to allow the supplicant to 

access the network. 

z 

The supplicant can also terminate the authenticated state by sending EAPoL-Logoff packets to the 

device. The device then changes the port state from accepted to rejected. 

 

When you configure your device to work in EAP relay mode, you do not need to configure the 

authentication method to be used. The device and the RADIUS server will negotiate one. The 

negotiation is initiated by the RADIUS server. Different RADIUS servers support different authentication 

methods and the order of PEAP, EAP-TLS, EAP-TTLS, and EAP-MD5 in the negotiation may vary.  

 

In this mode, EAP packet transmission is terminated at authenticator systems and the EAP packets are 

converted to RADIUS packets. Authentication and accounting are carried out through RADIUS 

protocol. 

In this mode, PAP or CHAP is employed between the device and the RADIUS server. 

 

illustrates the authentication procedure (assuming that CHAP is employed between the device and the 

RADIUS server).