1-79) When receiving the RADIUS Access-Request packet, the RADIUS server compares the passwordinformation encapsulated in the packet with that generated by itself. If the two are identical, theauthentication server considers the user valid and sends to the device a RADIUS Access-Acceptpacket.10) Upon receiving the RADIUS Access-Accept packet, the device opens the port to grant the accessrequest of the client. After the client gets online, the device periodically sends handshake requeststo the client to check whether the client is still online. By default, if two consecutive handshakeattempts end up with failure, the device concludes that the client has gone offline and performs thenecessary operations, guaranteeing that the device always knows when a client goes offline.11) The client can also send an EAPOL-Logoff frame to the device to go offline unsolicitedly. In thiscase, the device changes the status of the port from authorized to unauthorized and sends anEAP-Failure packet to the client.In EAP relay mode, a client must use the same authentication method as that of the RADIUS server. Onthe device, however, you only need to enable EAP relay.EAP terminationIn EAP termination mode, EAP packets are terminated at the device and then repackaged into the PAPor CHAP attributes of RADIUS and transferred to the RADIUS server for authentication, authorization,and accounting. Figure 1-9 shows the message exchange procedure with CHAP authentication.
