Operation Manual – 802.1xH3C S7500 Series Ethernet Switches Chapter 1 802.1x Configuration1-9SupplicantPAE Sw itch RADIUS serverEAPOL RADIUSEAPOL-StartEAP-Request/IdentityEAP-Response/IdentityEAP-Request/MD5 ChallengeEAP-SuccessEAP-Response/MD5 ChallengeRADIUS Access-R(CHA P-Response/MD5 Cequesthallenge)RADIUS Access-A(CHA P-Succesccepts)PortauthorizedHandshake timertimes outHandshake request[EAP-Request/Identity]Handshake response[EAP-Response/Identity]EAPOL-Logoff......PortunauthorizedSupplicantPAE Sw itch RADIUS serverEAPOL RADIUSEAPOL-StartEAP-Request/IdentityEAP-Response/IdentityEAP-Request/MD5 ChallengeEAP-SuccessEAP-Response/MD5 ChallengeRADIUS Access-R(CHA P-Response/MD5 Cequesthallenge)RADIUS Access-A(CHA P-Succesccepts)PortauthorizedHandshake timertimes outHandshake request[EAP-Request/Identity]Handshake response[EAP-Response/Identity]EAPOL-Logoff......PortunauthorizedFigure 1-9 802.1x authentication procedure (in EAP termination mode)The authentication procedure in EAP termination mode is the same as that in the EAPrelay mode except that the randomly-generated key in the EAP termination mode isgenerated by the switch, and that it is the switch that sends the user name, therandomly-generated key, and the supplicant system-encrypted password to theRADIUS server for further authentication.1.1.5 802.1x TimerIn 802.1 x authentication, the following timers are used to ensure that the supplicantsystem, the switch, and the RADIUS server interact orderly:z Transmission timer (tx-period): This timer sets the transmission period and istriggered by the switch in one of the following two cases: The first case is when asupplicant system requests for authentication. The switch sends a unicastrequest/identity packet to the supplicant system and then enables thetransmission timer. The switch will send another request/identity packet to thesupplicant system if it has not received any response from the supplicant systemwhen this timer times out. The second case is when the switch authenticates the802.1x client who does not request for authentication actively. The switch sends