1-6Authentication Process of 802.1XAn 802.1X device communicates with a remotely located RADIUS server in two modes: EAP relay andEAP termination. The following description takes the EAP relay as an example to show the 802.1Xauthentication process.EAP relayEAP relay is an IEEE 802.1X standard mode. In this mode, EAP packets are carried in an upper layerprotocol, such as RADIUS, so that they can go through complex networks and reach the authenticationserver. Generally, EAP relay requires that the RADIUS server support the EAP attributes ofEAP-Message and Message-Authenticator, which are used to encapsulate EAP packets and protectRADIUS packets carrying the EAP-Message attribute respectively.Figure 1-7 shows the message exchange procedure with EAP-MD5.Figure 1-7 Message exchange in EAP relay modeEAPOL EAPOREAPOL-StartEAP-Request / IdentityEAP-Response / IdentityEAP-Request / MD5 challengeEAP-SuccessEAP-Response / MD5 challengeRADIUS Access-Request(EAP-Response / Identity)RADIUS Access-Challenge(EAP-Request / MD5 challenge)RADIUS Access-Accept(EAP-Success)RADIUS Access-Request(EAP-Response / MD5 challenge)Handshake request[ EAP-Request / Identity ]Handshake response[ EAP-Response / Identity ]EAPOL-Logoff......Client Device ServerPort authorizedHandshake timerPort unauthorized1) When a user launches the 802.1X client software and enters the registered username andpassword, the 802.1X client software generates an EAPOL-Start frame and sends it to the deviceto initiate an authentication process.2) Upon receiving the EAPOL-Start frame, the device responds with an EAP-Request/Identity packetfor the username of the client.3) When the client receives the EAP-Request/Identity packet, it encapsulates the username in anEAP-Response/Identity packet and sends the packet to the device.