802.1X Authentication Procedures; A Comparison Of Eap Relay And Eap Termination - HP 5120 EI Switch Series Configuration Manual

 Multicast trigger mode—The access device multicasts EAP-Request/Identify packets periodically
(every 30 seconds by default) to initiate 802.1X authentication.
Unicast trigger mode—Upon receiving a frame with the source MAC address not in the MAC

address table, the access device sends an EAP-Request/Identify packet out of the receiving port to
the unknown MAC address. It retransmits the packet if no response has been received within a
configured time interval.

802.1X authentication procedures

802.1X authentication has two approaches: EAP relay and EAP termination. You choose either mode
depending on the support of the RADIUS server for EAP packets and EAP authentication methods.
EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPoR packets to send
authentication information to the RADIUS server, as shown in
Figure 29 EAP relay
Client
In EAP termination mode, the network access device terminates the EAP packets received from the client,
encapsulates the client authentication information in standard RADIUS packets, and uses (Password
Authentication Protocol) PAP or (Password Authentication Protocol) CHAP to authenticate to the RADIUS
server, as shown in
Figure 30 EAP termination
Client

A comparison of EAP relay and EAP termination

Packet exchange method
EAP relay
EAP packets over LAN
EAP authentication
Figure 30.
EAP packets over LAN
EAP authentication
Benefits

Supports various EAP
authentication methods.

The configuration and processing
is simple on the network access
device
Figure
Device
EAP packets over RADIUS
Device
RADIUS
PAP/CHAP authentication
67
29.
RADIUS server
RADIUS server
Limitations
The RADIUS server must support
the EAP-Message and Message-
Authenticator attributes, and the
EAP authentication method used by
the client.