1-5
fragmented and are encapsulated in multiple EAP-message fields. The type code of the EAP-message
field is 79.
Figure 1-6 The format of an EAP-message field
015
Type String
7
Length
N
EAP packets
The Message-authenticator field, whose format is shown in
Figure 1-7, is used to prevent unauthorized
interception to access requesting packets during authentications using CHAP, EAP, and so on. A packet
with the EAP-message field must also have the Message-authenticator field. Otherwise, the packet is
regarded as invalid and is discarded.
Figure 1-7 The format of an Message-authenticator field
802.1x Authentication Procedure
A 3Com S4210 series Ethernet switch can authenticate supplicant systems in EAP terminating mode or
EAP relay mode.
EAP relay mode
This mode is defined in 802.1x. In this mode, EAP-packets are encapsulated in higher level protocol
(such as EAPoR) packets to enable them to successfully reach the authentication server. Normally, this
mode requires that the RADIUS server support the two newly-added fields: the EAP-message field
(with a value of 79) and the Message-authenticator field (with a value of 80).
Four authentication ways, namely EAP-MD5, EAP-TLS (transport layer security), EAP-TTLS (tunneled
transport layer security), and PEAP (protected extensible authentication protocol), are available in the
EAP relay mode.
z EAP-MD5 authenticates the supplicant system. The RADIUS server sends MD5 keys (contained in
EAP-request/MD5 challenge packets) to the supplicant system, which in turn encrypts the
passwords using the MD5 keys.
z EAP-TLS allows the supplicant system and the RADIUS server to check each other’s security
certificate and authenticate each other’s identity, guaranteeing that data is transferred to the right
destination and preventing data from being intercepted.
z EAP-TTLS is a kind of extended EAP-TLS. EAP-TLS implements bidirectional authentication
between the client and authentication server. EAP-TTLS transmit message using a tunnel
established using TLS.
z PEAP creates and uses TLS security channels to ensure data integrity and then performs new EAP
negotiations to verify supplicant systems.
Figure 1-8 describes the basic EAP-MD5 authentication procedure.
To Next Page
Loading...