3Com 2928 User Guide - Page 363

Figure 1-9 802.1X authentication procedure in EAP termination mode Client EAPOL Device EAPOR Server EAPOL-Start EAP-Request / Identity EAP-Response / Identity EAP-Request / MD5 challenge EAP-Response / MD5 challenge RADIUS Access-Request (CHAP-Response / MD5 challenge) RADIUS Access-Accept (CHAP-Success) EAP-Success Port authorized Handshake request ( EAP-Request / Identity ) Handshake response ( EAP-Response / Identity ) Handshake timer ...... EAPOL-Logoff Port unauthorized Different from the authentication process in EAP relay mode, it is the device that generates the random challenge for encrypting the user password information in EAP termination authentication process. Consequently, the device sends the challenge together with the username and encrypted password information from the client to the RADIUS server for authentication. 802.1X Timers This section describes the timers used on an 802.1X device to guarantee that the client, the device, and the RADIUS server can interact with each other in a reasonable manner. z Username request timeout timer: This timer is triggered by the device in two cases. The first case is when the client requests for authentication. The device starts this timer when it sends an EAP-Request/Identity packet to a client. If it receives no response before this timer expires, the device retransmits the request. The second case is when the device authenticates the 802.1X client that cannot request for authentication actively. The device sends multicast EAP-Request/Identity packets periodically through the port enabled with 802.1X function. In this case, this timer sets the interval between sending the multicast EAP-Request/Identity packets. z Client timeout timer: Once a device sends an EAP-Request/MD5 Challenge packet to a client, it starts this timer. If this timer expires but it receives no response from the client, it retransmits the request. 1-8