72• Multicast trigger mode—The access device multicasts Identity EAP-Request packets periodically(every 30 seconds by default) to initiate 802.1X authentication.• Unicast trigger mode—Upon receiving a frame with the source MAC address not in the MACaddress table, the access device sends an Identity EAP-Request packet out of the receiving port tothe unknown MAC address. It retransmits the packet if no response has been received within acertain time interval.802.1X authentication procedures802.1X authentication has two approaches: EAP relay and EAP termination. You choose either modedepending on the support of the RADIUS server for EAP packets and EAP authentication methods.• EAP relay modeEAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPoR packets to sendauthentication information to the RADIUS server, as shown in Figure 27.Figure 27 EAP relayIn EAP relay mode, the client must use the same authentication method as the RADIUS server. Onthe network access device, you only need to use the dot1x authentication-method eap commandto enable EAP relay.• EAP termination modeIn EAP termination mode, the network access device terminates the EAP packets received from theclient, encapsulates the client authentication information in standard RADIUS packets, and usesPAP or CHAP to authenticate to the RADIUS server, as shown in Figure 28.Figure 28 EAP terminationA comparison of EAP relay and EAP terminationPacket exchange method Benefits LimitationsEAP relay• Supports various EAPauthentication methods.• The configuration and processing issimple on the network accessdeviceThe RADIUS server must support theEAP-Message andMessage-Authenticator attributes,and the EAP authentication methodused by the client.
