1-8Figure 1-9 802.1x authentication procedure (in EAP terminating mode)SupplicantsystemPAEAuthenticatorsystem PAE RADIUS serverEAPOL RADIUSEAPOL-StartEAP-Request/IdentityEAP-Response/IdentityEAP-Request/MD5 ChallengeEAP-SuccessEAP-Response/MD5 ChallengeRADIUS Access-Request(CHAP-Response/MD5 Challenge)RADIUS Access-Accept(CHAP-Success)PortauthorizedHandshake timerHandshake request[EAP-Request/Identity]Handshake response[EAP-Response/Identity]EAPOL-Logoff......PortunauthorizedThe authentication procedure in EAP terminating mode is the same as that in the EAP relay modeexcept that the randomly-generated key in the EAP terminating mode is generated by the switch, andthat it is the switch that sends the user name, the randomly-generated key, and the supplicantsystem-encrypted password to the RADIUS server for further authentication.Timers Used in 802.1xIn 802.1 x authentication, the following timers are used to ensure that the supplicant system, the switch,and the RADIUS server interact in an orderly way.z Handshake timer (handshake-period). This timer sets the handshake-period and is triggered aftera supplicant system passes the authentication. It sets the interval for a switch to send handshakerequest packets to online users. You can set the number of retries by using the dot1x retrycommand. An online user will be considered offline when the switch has not received any responsepackets after a certain number of handshake request transmission retries.z Quiet-period timer (quiet-period). This timer sets the quiet-period. When a supplicant system failsto pass the authentication, the switch quiets for the set period (set by the quiet-period timer) beforeit processes another authentication request re-initiated by the supplicant system. During this quietperiod, the switch does not perform any 802.1x authentication-related actions for the supplicantsystem.z Re-authentication timer (reauth-period). The switch will initiate 802.1x re-authentication at theinterval set by the re-authentication timer.z RADIUS server timer (server-timeout). This timer sets the server-timeout period. After sending anauthentication request packet to the RADIUS server, the switch sends another authentication
