266 CHAPTER 9: AAA AND RADIUS OPERATION
LANs) frame defined by IEEE 802.1x. Authentication data are encapsulated in the
EAP frame, which is encapsulated in packets of other AAA upper layer protocols
(e.g. RADIUS). This provides a channel through the complicated network to the
Authentication Server. Such procedure is called EAP Relay.
There are two types of ports for the Authenticator. One is the Uncontrolled Port,
and the other is the Controlled Port. The Uncontrolled Port is always in a
bi-directional connection state. The user can access and share the network
resources any time through the ports. The Controlled Port will be in a connecting
state only after the user passes the authentication. Then the user is allowed to
access the network resources.
Figure 1 802.1x System Architecture
Tasks for configuring 802.1x System Architecture is described in the following
sections:
■ 802.1x Authentication Process
■ Implementing 802.1x on the Switch 8800
802.1x Authentication Process
802.1x configures EAP frame to carry the authentication information. The
Standard defines the following types of EAP frames:
■ EAP-Packet: Authentication information frame, used to carry the
authentication information.
■ EAPoL-Start: Authentication originating frame, actively originated by the
Supplicant.
■ EAPoL-Logoff: Logoff request frame, actively terminating the authenticated
state.
■ EAPoL-Key: Key information frame, supporting to encrypt the EAP packets.
■ EAPoL-Encapsulated-ASF-Alert: Supports the Alerting message of Alert
Standard Forum (ASF).
The EAPoL-Start, EAPoL-Logoff, and EAPoL-Key only exist between the Supplicant
and the Authenticator. The EAP-Packet information is re-encapsulated by the
Authenticator System and then transmitted to the Authentication Server System.
Requester
Requester
system
Services offered by
Authenticator
system
Authenticator PAE
Authenticator
server
Authenticator
server system
Authenticator system
Controlled
port
Unauthorized
port
EAPol
LAN
EAP protocol exchanges
carried in higher layer
protocol