Operation Manual – 802.1x-System GuardH3C S3100 Series Ethernet Switches Chapter 1 802.1x Configuration1-8z Upon receiving the packet from the switch, the RADIUS server retrieves the username from the packet, finds the corresponding password by matching the username in its database, encrypts the password using a randomly-generated key,and sends the key to the switch through an RADIUS access-challenge packet.The switch then sends the key to the 802.1x client.z Upon receiving the key (encapsulated in an EAP-request/MD5 challenge packet)from the switch, the client program encrypts the password of the supplicantsystem with the key and sends the encrypted password (contained in anEAP-response/MD5 challenge packet) to the RADIUS server through the switch.(Normally, the encryption is irreversible.)z The RADIUS server compares the received encrypted password (contained in aRADIUS access-request packet) with the locally-encrypted password. If the twomatch, it will then send feedbacks (through a RADIUS access-accept packet andan EAP-success packet) to the switch to indicate that the supplicant system isauthenticated.z The switch changes the state of the corresponding port to accepted state to allowthe supplicant system to access the network.z The supplicant system can also terminate the authenticated state by sendingEAPoL-Logoff packets to the switch. The switch then changes the port state fromaccepted to rejected.Note:In EAP relay mode, packets are not modified during transmission. Therefore if one ofthe four ways are used (that is, PEAP, EAP-TLS, EAP-TTLS or EAP-MD5) toauthenticate, ensure that the authenticating ways used on the supplicant system andthe RADIUS server are the same. However for the switch, you can simply enable theEAP relay mode by using the dot1x authentication-method eap command.II. EAP terminating modeIn this mode, EAP packet transmission is terminated at authenticator systems and theEAP packets are converted to RADIUS packets. Authentication and accounting arecarried out through RADIUS protocol.In this mode, PAP or CHAP is employed between the switch and the RADIUS server.Figure 1-9 illustrates the authentication procedure (assuming that CHAP is employedbetween the switch and the RADIUS server).
