Operation Manual – 802.1x-System GuardH3C S3100 Series Ethernet Switches Chapter 1 802.1x Configuration1-7z PEAP creates and uses TLS security channels to ensure data integrity and thenperforms new EAP negotiations to verify supplicant systems.Figure 1-8 describes the basic EAP-MD5 authentication procedure.Supplicant SystemPAERADUISserverEAPOL EAPOREAPOL-StartEAP-Request / IdentityEAP-Response / IdentityEAP-Request / MD5 challengeEAP-SuccessEAP-Response / MD5 challengeRADIUS Access-Request(EAP-Response / Identity)RADIUS Access-Challenge(EAP-Request / MD5 challenge)RADIUS Access-Accept(EAP-Success)RADIUS Access-Request(EAP-Response / MD5 challenge)Port authorizedHandshake timerHandshake request[ EAP-Request / Identity ]Handshake response[ EAP-Response / Identity ]EAPOL-Logoff......Port unauthorizedAuthenticator SystemPAEFigure 1-8 802.1x authentication procedure (in EAP relay mode)The detailed procedure is as follows:z A supplicant system launches an 802.1x client to initiate an access request bysending an EAPoL-start packet to the switch, with its user name and passwordprovided. The 802.1x client program then forwards the packet to the switch to startthe authentication process.z Upon receiving the authentication request packet, the switch sends anEAP-request/identity packet to ask the 802.1x client for the user name.z The 802.1x client responds by sending an EAP-response/identity packet to theswitch with the user name contained in it. The switch then encapsulates the packetin a RADIUS Access-Request packet and forwards it to the RADIUS server.
