3com 4210 PWR 9-Port 3CR17341-91-ME User Manual
Product codes
3CR17341-91-ME
Introduction to 802.1x
217
Figure 72 802.1x authentication procedure (in EAP relay mode)
The detailed procedure is as follows.
■
A supplicant system launches an 802.1x client to initiate an access request by
sending an EAPoL-start packet to the switch, with its user name and password
provided. The 802.1x client program then forwards the packet to the switch to
start the authentication process.
sending an EAPoL-start packet to the switch, with its user name and password
provided. The 802.1x client program then forwards the packet to the switch to
start the authentication process.
■
Upon receiving the authentication request packet, the switch sends an
EAP-request/identity packet to ask the 802.1x client for the user name.
EAP-request/identity packet to ask the 802.1x client for the user name.
■
The 802.1x client responds by sending an EAP-response/identity packet to the
switch with the user name contained in it. The switch then encapsulates the
packet in a RADIUS Access-Request packet and forwards it to the RADIUS
server.
switch with the user name contained in it. The switch then encapsulates the
packet in a RADIUS Access-Request packet and forwards it to the RADIUS
server.
■
Upon receiving the packet from the switch, the RADIUS server retrieves the
user name from the packet, finds the corresponding password by matching the
user name in its database, encrypts the password using a randomly-generated
key, and sends the key to the switch through an RADIUS access-challenge
packet. The switch then sends the key to the 802.1x client.
user name from the packet, finds the corresponding password by matching the
user name in its database, encrypts the password using a randomly-generated
key, and sends the key to the switch through an RADIUS access-challenge
packet. The switch then sends the key to the 802.1x client.
Supplicant System
PAE
RADUIS
server
EAPOL
EAPOR
EAPOL-Start
EAP-Request / Identity
EAP-Response / Identity
EAP-Request / MD5 challenge
EAP-Success
EAP-Response / MD5 challenge
RADIUS Access-Request
(EAP-Response / Identity)
RADIUS Access-Challenge
(EAP-Request / MD5 challenge)
RADIUS Access-Accept
(EAP-Success )
RADIUS Access-Request
(EAP-Response / MD5 challenge)
Port authorized
Handshake timer
Handshake request
[ EAP-Request / Identity ]
Handshake response
[ EAP-Response / Identity ]
EAPOL-Logoff
......
Port unauthorized
Authenticator System
PAE