Packet formats
EAP packet format
Figure 30 shows the EAP packet format.
Figure 30: EAP packet format
Code—Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure (4).
Identifier—Used for matching Responses with Requests.
Length—Length (in bytes) of the EAP packet. The EAP packet length is the sum of the Code, Identifier, Length, and Data fields.
Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field contains the request type (or the response type) and the type data. Type 1 (Identity) and type 4 (MD5-Challenge) are two examples for the type field.
EAPOL packet format
Figure 31 shows the EAPOL packet format.
Figure 31: EAPOL packet format
PAE Ethernet type—Protocol type. It takes the value 0x888E for EAPOL.
Protocol version—The EAPOL protocol version used by the EAPOL packet sender.
Type—Type of the EAPOL packet. Table 5 lists the types of EAPOL packets supported by Hewlett Packard Enterprise implementation of 802.1X.
Table 5: Types of EAPOL packets
Value
Type
Description
0x00
EAP-Packet
The client and the access device uses EAP-Packets to transport authentication information.
0x01
EAPOL-Start
The client sends an EAPOL-Start message to initiate 802.1X authentication to the access device.
0x02
EAPOL-Logoff
The client sends an EAPOL-Logoff message to tell the access device that the client is logging off.
Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or EAPOL-Logoff, this field is set to 0, and no Packet body field follows.
Packet body—Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet body field contains an EAP packet.
EAP over RADIUS
RADIUS adds two attributes, EAP-Message and Message-Authenticator, for supporting EAP authentication. For the RADIUS packet format, see "Configuring AAA."
EAP-Message.
RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in Figure 32. The Type field takes 79, and the Value field can be up to 253 bytes. If an EAP packet is longer than 253 bytes, RADIUS encapsulates it in multiple EAP-Message attributes.
Figure 32: EAP-Message attribute format
Message-Authenticator.
As shown in Figure 33, RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum is different from the Message-Authenticator attribute value. The Message-Authenticator prevents EAP authentication packets from being tampered with during EAP authentication.
Figure 33: Message-Authenticator attribute format
