Operation Manual – 802.1xH3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration1-9Supplicantsyst emSwitc h RADIUS ser verEAPOL RADIUSEAPOL-StartEAP-Request/IdentityEAP-Response/IdentityEAP-Request/MD5 ChallengeEAP-SuccessEAP-Response/MD5 ChallengeRADIUS Access-Reque(CHAP-Response/MD5 Chalstlenge)RADIUS Access-Acce(CHAP-Success)ptPort acc ept edHands hake ti mer ti me outHands hake request pac ket[EAP-Request/Identity]Hands hake reply pac ket[EAP-Response/Identity]EAPOL-Logoff......Port reject edSupplicantsyst emSwitc h RADIUS ser verEAPOL RADIUSEAPOL-StartEAP-Request/IdentityEAP-Response/IdentityEAP-Request/MD5 ChallengeEAP-SuccessEAP-Response/MD5 ChallengeRADIUS Access-Reque(CHAP-Response/MD5 Chalstlenge)RADIUS Access-Acce(CHAP-Success)ptPort acc ept edHands hake ti mer ti me outHands hake request pac ket[EAP-Request/Identity]Hands hake reply pac ket[EAP-Response/Identity]EAPOL-Logoff......Port reject edSupplicantsyst emSwitc h RADIUS ser verEAPOL RADIUSEAPOL-StartEAP-Request/IdentityEAP-Response/IdentityEAP-Request/MD5 ChallengeEAP-SuccessEAP-Response/MD5 ChallengeRADIUS Access-Reque(CHAP-Response/MD5 Chalstlenge)RADIUS Access-Acce(CHAP-Success)ptPort acc ept edHands hake ti mer ti me outHands hake request pac ket[EAP-Request/Identity]Hands hake reply pac ket[EAP-Response/Identity]EAPOL-Logoff......Port reject edFigure 1-9 802.1x authentication procedure (in EAP terminating mode)The authentication procedure in EAP terminating mode is the same as that in the EAPrelay mode except that the randomly-generated key in the EAP terminating mode isgenerated by the switch, and that it is the switch that sends the user name, therandomly-generated key, and the supplicant system-encrypted password to theRADIUS server for further authentication.1.1.5 Timers Used in 802.1xIn 802.1 x authentication, the following timers are used to ensure that the supplicantsystem, the switch, and the RADIUS server interact in an orderly way.z Handshake timer (handshake-period). This timer sets the handshake-period andis triggered after a supplicant system passes the authentication. It sets the intervalfor a switch to send handshake request packets to online users. If you set thenumber of retries to N by using the dot1x retry command, an online user is