3com 2928 User Guide

 

1-8 

802.1X authentication procedure in EAP termination mode  

EAPOL

EAPOR

EAPOL-Start

EAP-Request / Identity

EAP-Response / Identity

EAP-Request / MD5 challenge

EAP-Success

EAP-Response / MD5 challenge

Handshake request

( EAP-Request / Identity )

Handshake response

( EAP-Response / Identity )

EAPOL-Logoff

......

Client

Device

Server

Port authorized

Handshake timer

Port unauthorized

RADIUS Access-Request

(CHAP-Response / MD5 challenge)

RADIUS Access-Accept

(CHAP-Success)

 

 
Different from the authentication process in EAP relay mode, it is the device that generates the random 
challenge for encrypting the user password information in EAP termination authentication process. 
Consequently, the device sends the challenge together with the username and encrypted password 
information from the client to the RADIUS server for authentication. 

This section describes the timers used on an 802.1X device to guarantee that the client, the device, and 
the RADIUS server can interact with each other in a reasonable manner.  

z

 

Username request timeout timer: This timer is triggered by the device in two cases. The first case is 
when the client requests for authentication. The device starts this timer when it sends an 
EAP-Request/Identity packet to a client. If it receives no response before this timer expires, the 
device retransmits the request. The second case is when the device authenticates the 802.1X 
client that cannot request for authentication actively. The device sends multicast 
EAP-Request/Identity packets periodically through the port enabled with 802.1X function. In this 
case, this timer sets the interval between sending the multicast EAP-Request/Identity packets. 

z

 

Client timeout timer: Once a device sends an EAP-Request/MD5 Challenge packet to a client, it 
starts this timer. If this timer expires but it receives no response from the client, it retransmits the 
request.