1-6EAP relay modeThis mode is defined in 802.1x. In this mode, EAP packets are encapsulated in higher level protocol(such as EAPoR) packets to enable them to successfully reach the authentication server. Normally, thismode requires that the RADIUS server support the two newly-added fields: the EAP-message field(with a value of 79) and the Message-authenticator field (with a value of 80).Four authentication ways, namely EAP-MD5, EAP-TLS (transport layer security), EAP-TTLS (tunneledtransport layer security), and Protected Extensible Authentication Protocol (PEAP), are available in theEAP relay mode.z EAP-MD5 authenticates the supplicant system. The RADIUS server sends MD5 keys (contained inEAP-request/MD5 challenge packets) to the supplicant system, which in turn encrypts thepasswords using the MD5 keys.z EAP-TLS allows the supplicant system and the RADIUS server to check each other’s securitycertificate and authenticate each other’s identity, guaranteeing that data is transferred to the rightdestination and preventing data from being intercepted.z EAP-TTLS is a kind of extended EAP-TLS. EAP-TLS implements bidirectional authenticationbetween the client and authentication server. EAP-TTLS transmit message using a tunnelestablished using TLS.z PEAP creates and uses TLS security channels to ensure data integrity and then performs new EAPnegotiations to verify supplicant systems.Figure 1-8 describes the basic EAP-MD5 authentication procedure.
