The access device supports the following modes:

Multicast trigger mode—The access device multicasts Identity EAP-Request packets periodically (every 30 seconds by default) to initiate 802.1X authentication.

Unicast trigger mode—Upon receiving a frame with the source MAC address not in the MAC address table, the access device sends an Identity EAP-Request packet out of the receiving port to the unknown MAC address. It retransmits the packet if no response has been received within a certain time interval.

802.1X authentication procedures

802.1X authentication has two approaches: EAP relay and EAP termination. You choose either mode depending on the support of the RADIUS server for EAP packets and EAP authentication methods.

EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPoR packets to send authentication information to the RADIUS server, as shown in a.

a.EAP relay

In EAP termination mode, the network access device terminates the EAP packets received from the client, encapsulates the client authentication information in standard RADIUS packets, and uses Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) to authenticate to the RADIUS server, as shown in b.

b.EAP termination

A comparison of EAP relay and EAP termination

Packet exchange method

Benefits

Limitations

 

Supports various EAP

 

 

authentication methods.

EAP relay

The configuration and processing

 

 

is simple on the network access

 

 

device

The RADIUS server must support the EAP-Message and Message-Authenticator attributes, and the EAP authentication method used by the client.

324