1-6Figure 1-6 The format of an EAP-message field0 15Type String7LengthNEAP packetsThe Message-authenticator field, whose format is shown in Figure 1-7, is used to preventunauthorized interception to access requesting packets during authentications using CHAP,EAP, and so on. A packet with the EAP-message field must also have theMessage-authenticator field. Otherwise, the packet is regarded as invalid and is discarded.Figure 1-7 The format of an Message-authenticator field802.1x Authentication ProcedureA H3C S5100-SI/EI series Ethernet switch can authenticate supplicant systems in EAPterminating mode or EAP relay mode.EAP relay modeThis mode is defined in 802.1x. In this mode, EAP packets are encapsulated in higher levelprotocol (such as EAPoR) packets to enable them to successfully reach the authenticationserver. Normally, this mode requires that the RADIUS server support the two newly-addedfields: the EAP-message field (with a value of 79) and the Message-authenticator field(with a value of 80).Four authentication ways, namely EAP-MD5, EAP-TLS (transport layer security),EAP-TTLS (tunneled transport layer security), and Protected Extensible AuthenticationProtocol (PEAP), are available in the EAP relay mode.z EAP-MD5 authenticates the supplicant system. The RADIUS server sends MD5 keys(contained in EAP-request/MD5 challenge packets) to the supplicant system, which inturn encrypts the passwords using the MD5 keys.z EAP-TLS allows the supplicant system and the RADIUS server to check each other’ssecurity certificate and authenticate each other’s identity, guaranteeing that data istransferred to the right destination and preventing data from being intercepted.z EAP-TTLS is a kind of extended EAP-TLS. EAP-TLS implements bidirectionalauthentication between the client and authentication server. EAP-TTLS transmitmessage using a tunnel established using TLS.z PEAP creates and uses TLS security channels to ensure data integrity and thenperforms new EAP negotiations to verify supplicant systems.Figure 1-8 describes the basic EAP-MD5 authentication procedure.
