3com 4210 PWR 9-Port 3CR17341-91-ME 用户手册
产品代码
3CR17341-91-ME
Introduction to 802.1x
219
Figure 73 802.1x authentication procedure (in EAP terminating mode)
The authentication procedure in EAP terminating mode is the same as that in the
EAP relay mode except that the randomly-generated key in the EAP terminating
mode is generated by the switch, and that it is the switch that sends the user
name, the randomly-generated key, and the supplicant system-encrypted
password to the RADIUS server for further authentication.
EAP relay mode except that the randomly-generated key in the EAP terminating
mode is generated by the switch, and that it is the switch that sends the user
name, the randomly-generated key, and the supplicant system-encrypted
password to the RADIUS server for further authentication.
Timers Used in 802.1x
In 802.1 x authentication, the following timers are used to ensure that the
supplicant system, the switch, and the RADIUS server interact in an orderly way.
supplicant system, the switch, and the RADIUS server interact in an orderly way.
■
Handshake timer (handshake-period). This timer sets the handshake-period
and is triggered after a supplicant system passes the authentication. It sets the
interval for a switch to send handshake request packets to online users. You
can set the number of retries by using the dot1x retry command. An online
user will be considered offline when the switch has not received any response
packets after a certain number of handshake request transmission retries.
and is triggered after a supplicant system passes the authentication. It sets the
interval for a switch to send handshake request packets to online users. You
can set the number of retries by using the dot1x retry command. An online
user will be considered offline when the switch has not received any response
packets after a certain number of handshake request transmission retries.
■
Quiet-period timer (quiet-period). This timer sets the quiet-period. When a
supplicant system fails to pass the authentication, the switch quiets for the set
period (set by the quiet-period timer) before it processes another
authentication request re-initiated by the supplicant system. During this quiet
period, the switch does not perform any 802.1x authentication-related actions
for the supplicant system.
supplicant system fails to pass the authentication, the switch quiets for the set
period (set by the quiet-period timer) before it processes another
authentication request re-initiated by the supplicant system. During this quiet
period, the switch does not perform any 802.1x authentication-related actions
for the supplicant system.
Supplicant
system
PAE
Authenticator
system PAE
RADIUS server
EAPOL
RADIUS
EAPOL-Start
EAP-Request /Identity
EAP-Response/Identity
EAP-Request /MD5 Challenge
EAP-Success
EAP-Response/MD5 Challenge
RADIUS Access-Request
(CHAP-Response/MD5 Challenge )
RADIUS Access-Accept
(CHAP-Success)
Port
authorized
Handshake timer
Handshake request
[EAP-Request /Identity]
Handshake response
[EAP-Response/Identity]
EAPOL-Logoff
......
Port
unauthorized