The JUNOSe software supports Extensible Authentication Protocol (EAP) for authenticating a peer before allowing network layer protocols to transmit over the link. EAP supports multiple authentication methods, including EAP-TLS and EAP-MD5-Challenge. The EAP server and the peer negotiate the specific authentication method to be used. Figure 30 illustrates the three components required for EAP: an EAP authenticator, an EAP server, and an EAP client.
Figure 30: Authentication with EAP
After LCP negotiation, JUNOSe starts the EAP negotiation process by initiating an identity exchange with the EAP client on the peer. The router sends an EAP identity request packet to the peer, which replies with an EAP identity response packet. After this exchange, the E-series router acts only as a pass-through device, enabling the EAP server residing on the backend authentication server to select and negotiate the particular EAP authentication method directly with the EAP client on the peer.
The JUNOSe software forwards or discards packets received from the backend authentication router and the peer depending on the identifying code contained in the packet.
The E-series router forwards:
The E-series router discards:
The JUNOSe software determines the outcome of the authentication based only on the Accept or Reject indication sent by the RADIUS server
 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |