Operation Manual – 802.1x-System GuardH3C S3100 Series Ethernet Switches Chapter 1 802.1x Configuration1-9SupplicantsystemPAEAuthenticatorsystem PAE RADIUS serverEAPOL RADIUSEAPOL-StartEAP-Request/IdentityEAP-Response/IdentityEAP-Request/MD5 ChallengeEAP-SuccessEAP-Response/MD5 ChallengeRADIUS Access-Request(CHAP-Response/MD5 Challenge)RADIUS Access-Accept(CHAP-Success)PortauthorizedHandshake timerHandshake request[EAP-Request/Identity]Handshake response[EAP-Response/Identity]EAPOL-Logoff......PortunauthorizedFigure 1-9 802.1x authentication procedure (in EAP terminating mode)The authentication procedure in EAP terminating mode is the same as that in the EAPrelay mode except that the randomly-generated key in the EAP terminating mode isgenerated by the switch, and that it is the switch that sends the user name, therandomly-generated key, and the supplicant system-encrypted password to theRADIUS server for further authentication.1.1.5 Timers Used in 802.1xIn 802.1 x authentication, the following timers are used to ensure that the supplicantsystem, the switch, and the RADIUS server interact in an orderly way.z Handshake timer (handshake-period). This timer sets the handshake-period andis triggered after a supplicant system passes the authentication. It sets the intervalfor a switch to send handshake request packets to online users. You can set thenumber of retries by using the dot1x retry command. An online user will beconsidered offline when the switch has not received any response packets after acertain number of handshake request transmission retries.z Quiet-period timer (quiet-period). This timer sets the quiet-period. When asupplicant system fails to pass the authentication, the switch quiets for the set
