802.1X Authentication Procedures; Comparing Eap Relay And Eap Termination - HP 5920 Series Configuration Manual

period of time. This process continues until the maximum number of request attempts set by using
the dot1x retry command is reached.
The username request timeout timer sets both the identity request interval for the multicast trigger and the
identity request timeout interval for the unicast trigger.

802.1X authentication procedures

802.1X authentication has two methods: EAP relay and EAP termination. You choose either mode
depending on support of the RADIUS server for EAP packets and EAP authentication methods.
EAP relay mode.
•
EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPOR packets to send
authentication information to the RADIUS server, as shown in
Figure 27 EAP relay
In EAP relay mode, the client must use the same authentication method as the RADIUS server. On
the network access device, you only need to use the dot1x authentication-method eap command
to enable EAP relay.
EAP termination mode.
•
In EAP termination mode, the network access device terminates the EAP packets received from the
client, encapsulates the client authentication information in standard RADIUS packets, and uses
PAP or CHAP to authenticate to the RADIUS server, as shown in
Figure 28 EAP termination

Comparing EAP relay and EAP termination

Packet exchange method
EAP relay
Benefits
•
Supports various EAP
authentication methods.
•
The configuration and
processing is simple on the
network access device.
66
Figure 27.
Figure 28.
Limitations
The RADIUS server must support the
EAP-Message and
Message-Authenticator attributes, and
the EAP authentication method used by
the client.