Filter
Top Products
Switch
Supplicant System
EAP
Authentication Server
EAP
EAP-Success
RADIUS-Access-Accept
EAP-Response/Identity
RADIUS-Access-Request
EAP-Request
RADIUS-Access-Request
EAP-Response
RADIUS-Access-Challenge
EAPOL-Start
EAP-Request/Identity
Figure 1
1-18 EAP-MD5 Authentication Procedure
1. A supplicant system launches an 802.1X client program via its registered user name and
password to initiate an access request through the sending of an EAPOL-Start packet to the
switch. The 802.1X client program then forwards the packet to the switch to start the
authentication process.
2. Upon receiving the authentication request packet, the switch sends an EAP-Request/Identity
packet to ask the 802.1X client program for the user name.
3. The 802.1X client program responds by sending an EAP-Response/Identity packet to the
switch with the user name included. The switch then encapsulates the packet in a RADIUS
Access-Request packet and forwards it to the RADIUS server.
4. Upon receiving the user name from the switch, the RADIUS server retrieves the user name,
finds the corresponding password by matching the user name in its database, encrypts the
password using a randomly-generated key, and sends the key to the switch through an
RADIUS Access-Challenge packet. The switch then sends the key to the 802.1X client
program.
5. Upon receiving the key (encapsulated in an EAP-Request/MD5 Challenge packet) from the
switch, the client program encrypts the password of the supplicant system with the key and
sends the encrypted password (contained in an EAP-Response/MD5 Challenge packet) to
the RADIUS server through the switch. (The encryption is irreversible.)
6. The RADIUS server compares the received encrypted password (contained in a RADIUS
Access-Request packet) with the locally-encrypted password. If the two match, it will then
send feedbacks (through a RADIUS Access-Accept packet and an EAP-Success packet) to
the switch to indicate that the supplicant system is authorized.
7. The switch changes the state of the corresponding port to accepted state to allow the
supplicant system access the network. And then the switch will monitor the status of
supplicant by sending hand-shake packets periodically. By default, the switch will force the
supplicant to log off if it can not get the response from the supplicant for two times.
8. The supplicant system can also terminate the authenticated state by sending EAPOL-Logoff
packets to the switch. The switch then changes the port state from accepted to rejected.
(2) EAP Terminating Mode
159