2-7
Figure 2-8 Message exchange in EAP relay mode
EAPOL
EAPOR
EAPOL-Start
EAP-Request / Identity
EAP-Response / Identity
EAP-Request / MD5 challenge
EAP-Success
EAP-Response / MD5 challenge
RADIUS Access-Request
(EAP-Response / Identity)
RADIUS Access-Challenge
(EAP-Request / MD5 challenge)
RADIUS Access-Accept
(EAP-Success)
RADIUS Access-Request
(EAP-Response / MD5 challenge)
Handshake request
[ EAP-Request / Identity ]
Handshake response
[ EAP-Response / Identity ]
EAPOL-Logoff
......
Client Device Server
Port authorized
Handshake timer
Port unauthorized
2) When a user launches the 802.1X client software and enters the registered username and
password, the 802.1X client software generates an EAPOL-Start frame and sends it to the device
to initiate an authentication process.
3) Upon receiving the EAPOL-Start frame, the device responds with an EAP-Request/Identity packet
for the username of the client.
4) When the client receives the EAP-Request/Identity packet, it encapsulates the username in an
EAP-Response/Identity packet and sends the packet to the device.
5) Upon receiving the EAP-Response/Identity packet, the device relays the packet in a RADIUS
Access-Request packet to the authentication server.
6) When receiving the RADIUS Access-Request packet, the RADIUS server compares the identify
information against its user information table to obtain the corresponding password information.
Then, it encrypts the password information using a randomly generated challenge, and sends the
challenge information through a RADIUS Access-Challenge packet to the device.
7) After receiving the RADIUS Access-Challenge packet, the device relays the contained
EAP-Request/MD5 Challenge packet to the client.
8) When receiving the EAP-Request/MD5 Challenge packet, the client uses the offered challenge to
encrypt the password part (this process is not reversible), creates an EAP-Response/MD5
Challenge packet, and then sends the packet to the device.
9) After receiving the EAP-Response/MD5 Challenge packet, the device relays the packet in a
RADIUS Access-Request packet to the authentication server.
To Next Page
Loading...
