The mechanism of an 802.1x authentication system, Encapsulation of eapol messages, The format of an eapol packet – H3C Technologies H3C WX3000 Series Unified Switches User Manual

23-3

z

MAC-based control. When a port works in the MAC-based control mode, all supplicant systems
connected to the port have to be authenticated individually in order to access the network. And
when a supplicant system goes offline, the others are not affected.

The Mechanism of an 802.1x Authentication System

IEEE 802.1x authentication uses the extensible authentication protocol (EAP) to exchange information
between supplicant systems and the authentication servers. To be compatible with 802.1X in a LAN
environment, the client program must support the Extensible Authentication Protocol over LAN
(EAPoL).

Figure 23-2

The mechanism of an 802.1x authentication system

z

EAP protocol packets transmitted between the supplicant system PAE and the authenticator
system PAE are encapsulated as EAPoL packets.

z

EAP protocol packets transmitted between the authenticator system PAE and the RADIUS server
can either be encapsulated as EAP over RADIUS (EAPoR) packets or be terminated at system
PAEs. The system PAEs then communicate with RADIUS servers through password
authentication protocol (PAP) or challenge-handshake authentication protocol (CHAP) packets.

z

When a supplicant system passes the authentication, the authentication server passes the
information about the supplicant system to the authenticator system. The authenticator system in
turn determines the state (authorized or unauthorized) of the controlled port according to the
instructions (accept or reject) received from the RADIUS server.

Encapsulation of EAPoL Messages

The format of an EAPoL packet

EAPoL is a packet encapsulation format defined in 802.1x. To enable EAP protocol packets to be
transmitted between supplicant systems and authenticator systems through LANs, EAP protocol
packets are encapsulated in EAPoL format. The following figure illustrates the structure of an EAPoL
packet.

Figure 23-3

The format of an EAPoL packet

In an EAPoL packet:

z

The PAE Ethernet type field holds the protocol identifier. The identifier for 802.1x is 0x888E.