It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. IEEE 8. 02. 1. X defines the encapsulation of the Extensible Authentication Protocol EAP over IEEE 8. EAP over LAN or EAPOL. EAPOL was originally designed for IEEE 8. Ethernet in 8. 02. X 2. 00. 1, but was clarified to suit other IEEE 8. LAN technologies such as IEEE 8. Fiber Distributed Data Interface ISO 9. X 2. 00. 4. 4 The EAPOL protocol was also modified for use with IEEE 8. AE MACsec and IEEE 8. AR Secure Device Identity, Dev. ID in 8. 02. 1. X 2. LAN segment. Overviewedit. EAP data is first encapsulated in EAPOL frames between the Supplicant and Authenticator, then re encapsulated between the Authenticator and the Authentication server using RADIUS or Diameter. X authentication involves three parties a supplicant, an authenticator, and an authentication server. The supplicant is a client device such as a laptop that wishes to attach to the LANWLAN. The term supplicant is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point and the authentication server is typically a host running software supporting the RADIUS and EAP protocols. In some cases, the authentication server software may be running on the authenticator hardware. Try our free ZIP code radius finder application. Lookup any ZIP code within a 50 mile radius online and at no cost. Latest trending topics being covered on ZDNet including Reviews, Tech Industry, Security, Hardware, Apple, and Windows. Download a free trial HyperSnap 6 is the fastest and easiest way to take screen captures from Windows screen and text capture from places where system text copy is. Download Radius Server For Windows 7 Free' title='Download Radius Server For Windows 7 Free' />The authenticator acts like a security guard to a protected network. The supplicant i. With 8. 02. 1. X port based authentication, the supplicant provides credentials, such as user namepassword or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant client device is allowed to access resources located on the protected side of the network. Protocol operationeditEAPOL operates at the network layer on top of the data link layer, and in Ethernet II framing protocol has an Ether. Download Radius Server For Windows 7 Free' title='Download Radius Server For Windows 7 Free' />Type value of 0x. E. Port entitiesedit8. X 2. 00. 1 defines two logical port entities for an authenticated portthe controlled port and the uncontrolled port. The controlled port is manipulated by the 8. X PAE Port Access Entity to allow in the authorized state or prevent in the unauthorized state network traffic ingressing and egressing tofrom the controlled port. The uncontrolled port is used by the 8. X PAE to transmit and receive EAPOL frames. X 2. 00. 4 defines the equivalent port entities for the supplicant so a supplicant implementing 8. X 2. 00. 4 may prevent higher level protocols being used if it is not content that authentication has successfully completed. This is particularly useful when an EAP method providing mutual authentication is used, as the supplicant can prevent data leakage when connected to an unauthorized network. Typical authentication progressioneditThe typical authentication procedure consists of. Sequence diagram of the 8. X progression. Initialization On detection of a new supplicant, the port on the switch authenticator is enabled and set to the unauthorized state. In this state, only 8. X traffic is allowed other traffic, such as the Internet Protocol and with that TCP and UDP, is dropped. Initiation To initiate authentication the authenticator will periodically transmit EAP Request Identity frames to a special Layer 2 address 0. C2 0. 0 0. 0 0. The supplicant listens on this address, and on receipt of the EAP Request Identity frame it responds with an EAP Response Identity frame containing an identifier for the supplicant such as a User ID. The authenticator then encapsulates this Identity response in a RADIUS Access Request packet and forwards it on to the authentication server. The supplicant may also initiate or restart authentication by sending an EAPOL Start frame to the authenticator, which will then reply with an EAP Request Identity frame. NegotiationTechnically EAP negotiation The authentication server sends a reply encapsulated in a RADIUS Access Challenge packet to the authenticator, containing an EAP Request specifying the EAP Method The type of EAP based authentication it wishes the supplicant to perform. The authenticator encapsulates the EAP Request in an EAPOL frame and transmits it to the supplicant. At this point the supplicant can start using the requested EAP Method, or do an NAK Negative Acknowledgement and respond with the EAP Methods it is willing to perform. Authentication If the authentication server and supplicant agree on an EAP Method, EAP Requests and Responses are sent between the supplicant and the authentication server translated by the authenticator until the authentication server responds with either an EAP Success message encapsulated in a RADIUS Access Accept packet, or an EAP Failure message encapsulated in a RADIUS Access Reject packet. If authentication is successful, the authenticator sets the port to the authorized state and normal traffic is allowed, if it is unsuccessful the port remains in the unauthorized state. When the supplicant logs off, it sends an EAPOL logoff message to the authenticator, the authenticator then sets the port to the unauthorized state, once again blocking all non EAP traffic. ImplementationseditSupplicantseditWindows XP, Windows Vista and Windows 7 support 8. X for all network connections by default. Windows 2. 00. 0 has support in the latest service pack SP4 for wired connections. Windows Mobile 2. X client. An open source project known as Open. X produces a client, Xsupplicant. This client is currently available for both Linux and Windows. The main drawbacks of the Open. X client are that it does not provide comprehensible and extensive user documentation and the fact that most Linux vendors do not provide a package for it. The more general wpasupplicant can be used for 8. Both support a very wide range of EAP types. The i. Phone and i. Pod Touch support 8. X as of the release of i. OS 2. 0. Android has support for 8. X since the release of 1. Donut. Chrome OS has supported 8. X since mid 2. 01. Mac OS X has offered native support since 1. Avenda Systems provides a supplicant for Windows, Linux and Mac OS X. They also have a plugin for the Microsoft NAP framework. Avenda also offers health checking agents. WindowseditWindows defaults to not responding to 8. X authentication requests for 2. This can cause significant disruption to clients. The block period can be configured using the Block. Time value in the registry. A hotfix is required for Windows XP SP3 and Windows Vista SP2 to make the period configurable. Wildcard server certificates are not supported by EAPHost, the Windows component that provides EAP support in the operating system. The implication of this is that when using a commercial certification authority, individual certificates must be purchased. Windows XPeditWindows XP has major issues with its handling of IP address changes that result from user based 8. X authentication that changes the VLAN and thus subnet of clients. Microsoft has stated that it will not back port the SSO feature from Vista that resolves these issues.