Operation Manual – 802.1xH3C S7500 Series Ethernet Switches Chapter 1 802.1x Configuration1-6Type Length String0 1 2EAP packetType Length String0 1 2EAP packetFigure 1-6 Encapsulation format of the EAP-message attributeThe Message-authenticator attribute, as shown in Figure 1-7, is used to prevent accessrequesting packets from being snooped during authentications using CHAP, EAP, andso on. A packet with the EAP-message attribute must also have theMessage-authenticator attribute; otherwise the packet is regarded as invalid and will bediscarded.type=80 length=18 string...17e0 1 2Figure 1-7 Encapsulation format of the Message-authenticator attribut1.1.4 802.1x Authentication ProcedureAn H3C S7500 series switch can authenticate supplicant systems in EAP terminationmode or EAP relay mode.I. EAP relay modeThis mode is defined in 802.1x. In this mode, EAP protocol is carried over other upperlayer protocols like EAP over RADIUS so that EAP packets can traverse throughcomplicated networks and arrive the authentication server. This mode normallyrequires the RADIUS server to support the two newly added attributes: EAP-message(a value of 79) and Message-authenticator (a value of 80).For EAP relay mode, three authentication ways are supported: EAP-MD5, transportlayer security (EAP-TLS ), and protected extensible authentication protocol (PEAP).The following presents a description of these three authentication ways:z EAP-MD5 authenticates the supplicant system. The RADIUS server sends MD5keys (contained in EAP-request/MD5 challenge packets) to the supplicant system,which in turn encrypts passwords using the MD5 keys.z EAP-TLS authenticates both the supplicant system and the RADIUS server. WithMAP-TLS authentication, the supplicant system and the RADIUS server checksthe security certificate of each other to prevent data from being stolen.z PEAP creates and uses TLS security channels to ensure data integrity and thenperforms new EAP negotiation to verify the supplicant system.Figure 1-8 takes EAP-MD5 as an example to introduce basic authentication procedure.