Discovering Extensible Affidavit Protocol
Port-based arrangement admission ascendancy uses the concrete admission characteristics of IEEE 802
LAN infrastructures. These infrastructures advantage the Extensible Affidavit Protocol
(EAP) to backpack approximate affidavit information, not the affidavit adjustment itself.
EAP is an encapsulation agreement with no annex on IP, and it can run over any link
layer, including IEEE 802 media. EAP transports affidavit advice in the anatomy of
EAP payloads. EAP additionally establishes and manages the affidavit connection, and it
allows for affidavit by encapsulating assorted types of affidavit exchanges.
EAP over LANs (EAPOL) is the agreement in IEEE 802.1X. Figure 17-1 shows this framing
format.
276 Chapter 17: Identity-Based Networking Services with 802.1X
Figure 17-1 EAPOL Framing Format
EAP provides a agency for authentication. The alternative of an EAP adjustment is potentially
the best difficult and important accommodation apropos the deployment of port-based access
control. Prevalent EAP types accommodate the following:
• EAP-MD5. Uses bulletin abstract algorithm 5 (MD5)-based claiming acknowledgment for
authentication
• EAP-MSCHAPv2. Uses username/password MSCHAPv2 challenge-response
authentication
• EAP-TLS. Uses x.509 v3 public-key basement (PKI)-issued certificates and the
Transport Layer Aegis (TLS) apparatus for able alternate authentication
• PEAP. Combines server-side certificates with some added authentication, such as
passwords, and tunnels added EAP types in an encrypted adit (TLS), abundant like webbased
SSL
• EAP-FAST. Designed to not crave certificates; tunnels added EAP types in an
encrypted tunnel
EAP rose out of the charge to abate the complication of relationships amid systems and
the accretion charge for added busy and defended affidavit methods. However, not
every applicant accessory supports every EAP affidavit adjustment accessible and not every EAP
server supports every method. In fact, best arrangement accessories are aqueduct for relaying EAP
from a applicant to an EAP server.
DST
MAC
SRC
MAC Blazon Data FCS
Packet Body
N Byte
Packet Length
2 Byte
Packet Type
1 Byte
Protocol Version
1 Byte
Packet Type
EAP Packet (0)
EAPOL Key (3)
EAPOL Logoff (2)
EAPOL Start (1)
Packet Description
Both the Supplicant and the Authenticator Send this
Packet
It’s Used During Affidavit and Contains MD5 or TLS
Information Required to Complete the Authentication
Process
Sent by Supplicant When It Starts Affidavit Process
Sent by Supplicant When It Wants to
Terminate the 802.1X Session
Sent by Switch to the Supplicant and Contains
a Key Used During TLS Authentication
Exploring IEEE 802.1X 277
Several factors drive the best of an EAP method, such as the following:
• Abutment of EAP methods on audience and servers.
• Arrangement aegis policy, such as alternate authentication.
• Backend agenda basement support. Not every character abundance supports all EAP
types.
The best of an EAP blazon ultimately drives the apparatus of a port-based network
access ascendancy band-aid and aggregate abroad in an affidavit infrastructure.