Understanding 802.1X The 802.1X is a specification that defines EAP (Extensible Authentication Protocol) over LAN. This is also known as EAPOL. EAP is an authentication framework with supports multiple authentication methods. It is defined in RFC 3748. EAP defines three terminologies:
The type of EAP method used will be decided between the Supplicant and the Authentication Server. Some of these methods are- LEAP, EAP-TLS, EAP-MD5, EAP-FAST, EAP-GTC, PEAP, etc. EAP over LAN (EAPOL) EAPOL is a method to transport EAP packets between Supplicant and an Authenticator directly over LAN MAC service (both wired and wireless). There are 5 types of EAPOL message and not all EAPOL frames carry EAP messages; they are used for administrative tasks:
All EAPOL frames have Ether Type of 0x888E. Authentication Process and Message Exchange During bootup, if the Supplicant does not receive EAP-Request/Identity message from the Authenticator, the Supplicant initiates authentication by sending the EAPOL-Start frame, which prompts the router to request the Supplicant's identity. If the Authenticator port connected to the Supplicant is not configured with dot1x port-control auto command, the Authenticator will not allow any EAPOL frames to pass through it and the port will remain in Unauthorized state. The Supplicant and the Authenticator begin the conversation by negotiating the use of EAP. Once EAP is negotiated, the Authenticator sends an EAP-Request/Identity message to the Supplicant. The Supplicant supplies the EAP-Response/Identity message indicating to the Authenticator that it should proceed with authentication. The Authenticator acts as a pass-through and encapsulates the EAP-Response within an EAP-message attribute sent to the Authentication Server (RADIUS Server) within a RADIUS Access-Request message. On receiving an Access-Request message, the RADIUS server responds with an Access-Challenge message containing EAP-Message attribute. If the RADIUS server does not support EAP, it sends an Access-Reject message. The Authenticator receives the Access-Challenge message, decapsulates the packet and passes onto the Supplicant as an EAP-Request/Auth message. The Supplicant responds back with an EAP-Response/Auth message to the Authenticator. The Authenticator encapsulates it with an Access-Request packet containing EAP-Message attributes and passes onto the RADIUS Server. The RADIUS Server decapsulates the packet and obtains the EAP-Message attribute. It responds back with an Access-Accept packet. The Authenticator decapsulates and forwards the EAP-Success message to the Supplicant. The authentication process at this stage is completed and the port state changes to Authorized. The port state changes to Unauthorized when the link state on the port changes from UP to DOWN, or, the Authenticator receives an EAPOL-Logoff message. |