Figure 1-9802.1x authentication procedure (in EAP terminating mode)

Supplicant

 

EAPOL

 

Authenticator

 

RADIUS

 

system

 

 

 

 

system PAE

 

 

 

RADIUS server

PAE

 

EAPOL- Start

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

EAP- Request /Identity

EAP- Response /Identity

EAP- Request/MD5 Challenge

EAP- Response /MD5Challenge

RADIUS Access-Request

( CHAP- Response /MD5 Challenge)

RADIUS Access- Accept

(CHAP- Success)

EAP- Success

Port authorized

Handshake request

Handshake timer

[EAP- Request /Identity]

 

Handshake response

 

[EAP- Response /Identity]

 

......

 

EAPOL- Logoff

 

 

Port

unauthorized

The authentication procedure in EAP terminating mode is the same as that in the EAP relay mode except that the randomly-generated key in the EAP terminating mode is generated by the device, and that it is the device that sends the user name, the randomly-generated key, and the supplicant system-encrypted password to the RADIUS server for further authentication.

Timers Used in 802.1x

In 802.1 x authentication, the following timers are used to ensure that the supplicant system, the device, and the RADIUS server interact in an orderly way.

z

z

z

Handshake timer (handshake-period). This timer sets the handshake-period and is triggered after a supplicant system passes the authentication. It sets the interval for the device to send handshake request packets to online users. You can set the number of retries by using the dot1x retry command. An online user will be considered offline when the device has not received any response packets after a certain number of handshake request transmission retries.

Quiet-period timer (quiet-period). This timer sets the quiet-period. When a supplicant system fails to pass the authentication, the device quiets for the set period (set by the quiet-period timer) before it processes another authentication request re-initiated by the supplicant system. During this quiet period, the device does not perform any 802.1x authentication-related actions for the supplicant system.

Re-authentication timer (reauth-period). The device will initiate 802.1x re-authentication at the interval set by the re-authentication timer.

1-8

Page 229
Image 229
3Com WX3000 operation manual Timers Used, 9802.1x authentication procedure in EAP terminating mode