Operation Manual – 802.1x-HABP-MAC AuthenticationH3C S5500-EI Series Ethernet Switches Chapter 1 802.1x Configuration1-6z Data: Content of the EAP packet. This field is zero or more bytes and its format isdetermined by the Code field.1.1.4 EAP Encapsulation over RADIUSTwo attributes of RADIUS are intended for supporting EAP authentication:EAP-Message and Message-Authenticator. For information about RADIUS packetformat, refer to AAA RADIUS HWTACACS Configuration.I. EAP-MessageThe EAP-Message attribute is used to encapsulate EAP packets. Figure 1-6 shows itsencapsulation format. The value of the Type field is 79. The String field can be up to 253bytes. If the EAP packet is longer than 253 bytes, it can be fragmented andencapsulated into multiple EAP-Message attributes.Figure 1-6 Encapsulation format of the EAP-Message attributeII. Message-AuthenticatorFigure 1-7 shows the encapsulation format of the Message-Authenticator attribute. TheMessage-Authenticator attribute is used to prevent access requests from beingsnooped during EAP or CHAP authentication. It must be included in any packet with theEAP-Message attribute; otherwise, the packet will be considered invalid and getdiscarded.Figure 1-7 Encapsulation format of the Message-Authenticator attribute1.1.5 Authentication Process of 802.1x802.1x authentication can be initiated by either a supplicant or the authenticator system.A supplicant initiates authentication by launching the 802.1x client software to send anEAPOL-Start frame to the authenticator system, while the authenticator system sendsan EAP-Request/Identity packet to an unauthenticated supplicant when detecting thatthe supplicant is trying to login.