Reference Guide
98 | 802.1X
www.dell.com | support.dell.com
802.1X employs Extensible Authentication Protocol (EAP)* to transfer a device’s credentials to an
authentication server (typically RADIUS) via a mandatory intermediary network access device, in this
case, a Dell Networking switch. The network access device mediates all communication between the
end-user device and the authentication server so that the network remains secure. The network access
device uses EAP over Ethernet (EAPOL) to communicate with the end-user device and EAP over
RADIUS to communicate with the server.
The illustration above and the illustration below show how EAP frames are encapsulated in Ethernet and
RADIUS frames.
Figure 6-1. EAPOL Frame Format
The authentication process involves three devices:
• The device attempting to access the network is the supplicant. The supplicant is not allowed to
communicate on the network until the port is authorized by the authenticator. It can only communicate
with the authenticator in response to 802.1X requests.
*
Note: FTOS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and
MS-CHAPv2 with PEAP.
Preamble
Start Frame
Delimiter
Destination MAC
(1:80:c2:00:00:03)
Source MAC
(Auth Port MAC)
Ethernet Type
(0x888e)
Protocol Version
(1)
Packet Type
EAPOL Frame
Length
Code
(0-4)
ID
(Seq Number)
EAP-Method Frame
Length
EAP-Method
Code
(0-255)
Length
EAP-Method Data
(Supplicant Requested Credentials)
Range: 0-4
Type: 0: EAP Packet
1: EAPOL Start
2: EAPOL Logoff
3: EAPOL Key
4: EAPOL Encapsulated-ASF-Alert
Range: 0-4
Type: 0: EAP Packet
1: EAPOL Start
2: EAPOL Logoff
3: EAPOL Key
4: EAPOL Encapsulated-ASF-Alert
EAP Frame
Padding
FCS
Range: 1-4
Codes: 1: Request
2: Response
3: Success
4: Failure
Range: 1-255
Codes: 1: Identity
2: Notification
3: NAK
4: MD-5 Challenge
5: One-Time Challenge
6: Generic Token Card