3com 4210 PWR 9-Port 3CR17341-91-ME User Manual
Product codes
3CR17341-91-ME
216
C
HAPTER
17: 802.1
X
C
ONFIGURATION
802.1x Authentication
Procedure
The Switch 4210 can authenticate supplicant systems in EAP terminating mode or
EAP relay mode.
EAP relay mode.
EAP relay mode
This mode is defined in 802.1x. In this mode, EAP-packets are encapsulated in
higher level protocol (such as EAPoR) packets to enable them to successfully reach
the authentication server. Normally, this mode requires that the RADIUS server
support the two newly-added fields: the EAP-message field (with a value of 79)
and the Message-authenticator field (with a value of 80).
higher level protocol (such as EAPoR) packets to enable them to successfully reach
the authentication server. Normally, this mode requires that the RADIUS server
support the two newly-added fields: the EAP-message field (with a value of 79)
and the Message-authenticator field (with a value of 80).
Four authentication ways, namely EAP-MD5, EAP-TLS (transport layer security),
EAP-TTLS (tunneled transport layer security), and PEAP (protected extensible
authentication protocol), are available in the EAP relay mode.
EAP-TTLS (tunneled transport layer security), and PEAP (protected extensible
authentication protocol), are available in the EAP relay mode.
■
EAP-MD5 authenticates the supplicant system. The RADIUS server sends MD5
keys (contained in EAP-request/MD5 challenge packets) to the supplicant
system, which in turn encrypts the passwords using the MD5 keys.
keys (contained in EAP-request/MD5 challenge packets) to the supplicant
system, which in turn encrypts the passwords using the MD5 keys.
■
EAP-TLS allows the supplicant system and the RADIUS server to check each
other’s security certificate and authenticate each other’s identity, guaranteeing
that data is transferred to the right destination and preventing data from being
intercepted.
other’s security certificate and authenticate each other’s identity, guaranteeing
that data is transferred to the right destination and preventing data from being
intercepted.
■
EAP-TTLS is a kind of extended EAP-TLS. EAP-TLS implements bidirectional
authentication between the client and authentication server. EAP-TTLS transmit
message using a tunnel established using TLS.
authentication between the client and authentication server. EAP-TTLS transmit
message using a tunnel established using TLS.
■
PEAP creates and uses TLS security channels to ensure data integrity and then
performs new EAP negotiations to verify supplicant systems.
performs new EAP negotiations to verify supplicant systems.
Figure 72 describes the basic EAP-MD5 authentication procedure.