802.1x Overview 723
Figure 218 Message exchange in EAP termination mode
Different from the authentication process in EAP relay mode, it is the authenticator
that generates the random challenge for encrypting the user password
information in EAP termination authentication process. Consequently, the
authenticator sends the challenge together with the username and encrypted
password information from the supplicant to the RADIUS server for
authentication.
802.1x Timers Several timers are used in the 802.1x authentication process to guarantee that the
supplicants, the authenticators, and the RADIUS server interact with each other in
a reasonable manner. The following are the major 802.1x timers:
■ Username request timeout timer (tx-period): This timer is used in two cases,
one is when an authenticator retransmits an EAP-Request/Identity frame and
the other is when an authenticator multicasts an EAP-Request/Identity frame.
Once an authenticator sends an EAP-Request/Identity frame to a supplicant, it
starts this timer. If this timer expires but it receives no response from the
supplicant, it retransmits the request. To cooperate with a supplicant system
that does not send EAPOL-Start requests unsolicitedly, the authenticator
EAPOL
RADIUS
EAPOL- Start
EAP- Resquest / Identity
EAP- Response / Identity
EAP - Request / MD5 challenge
EAP- Response / MD5 challenge
RADIUS Access - Request
(CHAP- Response / MD5 challenge)
RADIUS Access - Accept
(CHAP- Success )
Port authorized
Handshake timer
......
Port unauthorized
Supplicant system
PAE
Authenticator system
PAE
RADUIS
server
EAP- Success
Handshake request
[ EAP- Request / Identity ]
Handshake response
[ EAP- Response / Identity ]
EAPOL- Logoff
To Next Page
Loading...
