Table 100 The network access device relays the Identity EAP-Response packet in a RADIUS Access-Request packet to the authentication server.

Table 101 The authentication server uses the identity information in the RADIUS Access-Request to search its user database. If a matching entry is found, the server uses a randomly generated challenge (EAP-Request/MD5 challenge) to encrypt the password in the entry, and sends the challenge in a RADIUS Access-Challenge packet to the network access device.

Table 102 The network access device relays the EAP-Request/MD5 Challenge packet in a RADIUS Access-Request packet to the client.

Table 103 The client uses the received challenge to encrypt the password, and sends the encrypted password in an EAP-Response/MD5 Challenge packet to the network access device.

Table 104 The network access device relays the EAP-Response/MD5 Challenge packet in a RADIUS Access-Request packet to the authentication server.

Table 105 The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device.

Table 106 Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network.

Table 107 After the client comes online, the network access device periodically sends handshake requests to check whether the client is still online. By default, if two consecutive handshake attempts fail, the device logs off the client.

Table 108 Upon receiving a handshake request, the client returns a response. If the client fails to return a response after a certain number of consecutive handshake attempts (two by default), the network access device logs off the client. This handshake mechanism enables timely release of the network resources used by 802.1X users that have abnormally gone offline.

Table 109 The client can also send an EAPOL-Logoff packet to ask the network access device for a logoff. Then

Table 110 In response to the EAPOL-Logoff packet, the network access device changes the status of the controlled port from authorized to unauthorized and sends an EAP-Failure packet to the client.

NOTE:

In EAP relay mode, the client must use the same authentication method as the RADIUS server. On the network access device, you only need to configure the EAP relay method.

326