Packet exchange methods
802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the access device, and the authentication server. EAP is an authentication framework that uses the client/server model. The framework supports a variety of authentication methods, including MD5-Challenge, EAP-Transport Layer Security (EAP-TLS), and Protected EAP (PEAP).
802.1X defines EAP over LAN (EAPOL) for passing EAP packets between the client and the access device over a wired or wireless LAN. Between the access device and the authentication server, 802.1X delivers authentication information by either EAP relay or EAP termination.
EAP relay
EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAP over RADIUS (EAPOR) packets to send authentication information to the RADIUS server, as shown in Figure 28.
Figure 28: EAP relay
In EAP relay mode, the client must use the same authentication method as the RADIUS server. On the access device, you only need to use the dot1x authentication-method eap command to enable EAP relay.
EAP termination
As shown in Figure 29, the access device performs the following operations in EAP termination mode:
Terminates the EAP packets received from the client.
Encapsulates the client authentication information in standard RADIUS packets.
Uses PAP or CHAP to authenticate to the RADIUS server.
Figure 29: EAP termination
Comparing EAP relay and EAP termination
Packet exchange method | Benefits | Limitations |
---|---|---|
EAP relay |
| The RADIUS server must support the EAP-Message and Message-Authenticator attributes, and the EAP authentication method used by the client. |
EAP termination | Works with any RADIUS server that supports PAP or CHAP authentication. |
|