Packet exchange methods

802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the access device, and the authentication server. EAP is an authentication framework that uses the client/server model. The framework supports a variety of authentication methods, including MD5-Challenge, EAP-Transport Layer Security (EAP-TLS), and Protected EAP (PEAP).

802.1X defines EAP over LAN (EAPOL) for passing EAP packets between the client and the access device over a wired or wireless LAN. Between the access device and the authentication server, 802.1X delivers authentication information by either EAP relay or EAP termination.

EAP relay

EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAP over RADIUS (EAPOR) packets to send authentication information to the RADIUS server, as shown in Figure 28.

Figure 28: EAP relay

In EAP relay mode, the client must use the same authentication method as the RADIUS server. On the access device, you only need to use the dot1x authentication-method eap command to enable EAP relay.

EAP termination

As shown in Figure 29, the access device performs the following operations in EAP termination mode:

  1. Terminates the EAP packets received from the client.

  2. Encapsulates the client authentication information in standard RADIUS packets.

  3. Uses PAP or CHAP to authenticate to the RADIUS server.

Figure 29: EAP termination

Comparing EAP relay and EAP termination

Packet exchange method

Benefits

Limitations

EAP relay

  • Supports various EAP authentication methods.

  • The configuration and processing are simple on the access device.

The RADIUS server must support the EAP-Message and Message-Authenticator attributes, and the EAP authentication method used by the client.

EAP termination

Works with any RADIUS server that supports PAP or CHAP authentication.

  • Supports only the following EAP authentication methods:

    • MD5-Challenge EAP authentication.

    • The username and password EAP authentication initiated by an iNode 802.1X client.

  • The processing is complex on the access device.