802.1x Overview 721
Figure 217 Message exchange in EAP relay mode
1 When a user launches the 802.1x client software and enters the registered
username and password, the 802.1x client software generates an EAPOL-Start
frame and sends it to the authenticator to initiate an authentication process.
2 Upon receiving the EAPOL-Start frame, the authenticator responds with an
EAP-Request/Identity packet for the username of the supplicant.
3 When the supplicant receives the EAP-Request/Identity packet, it encapsulates the
username in an EAP-Response/Identity packet and sends the packet to the
authenticator.
4 Upon receiving the EAP-Response/Identity packet, the authenticator relays the
packet in a RADIUS Access-Request packet to the authentication server.
5 When receiving the RADIUS Access-Request packet, the RADIUS server compares
the identify information against its user information table to obtain the
corresponding password information. Then, it encrypts the password information
using a randomly generated challenge, and sends the challenge information
through a RADIUS Access-Challenge packet to the authenticator.
6 After receiving the RADIUS Access-Challenge packet, the authenticator relays the
contained EAP-Request/MD5 Challenge packet to the supplicant.
Supplicant system
PAE
RADUIS
server
EAPOL EAPOR
EAPOL-Start
EAP -Request / Identity
EAP-Response / Identity
EAP -Request / MD5 challenge
EAP-Success
EAP-Response / MD5 challenge
RADIUS Access - Request
(EAP- Response / Identity )
RADIUS Access-Challenge
( EAP- Request / MD5 challenge )
RADIUS Access-Accept
(EAP- Success)
RADIUS Access-Request
( EAP- Response / MD5 challenge )
Port authorized
Handshake timer
Handshake request
[ EAP- Request / Identity ]
Handshake response
[ EAP- Response / Identity ]
EAPOL- Logoff
......
Port unauthorized
Authenticator system
PAE
To Next Page
Loading...
