Operation Manual – 802.1x and System Guard
H3C S3100-52P Ethernet switch
Chapter 1 802.1x Configuration
1-4
Figure 1-2
The mechanism of an 802.1x authentication system
z
EAP protocol packets transmitted between the supplicant system PAE and the
authenticator system PAE are encapsulated as EAPoL packets.
z
EAP protocol packets transmitted between the authenticator system PAE and the
RADIUS server can either be encapsulated as EAP over RADIUS (EAPoR)
packets or be terminated at system PAEs. The system PAEs then communicate
with RADIUS servers through Password Authentication Protocol (PAP) or
Challenge-Handshake Authentication Protocol (CHAP) packets.
z
When a supplicant system passes the authentication, the authentication server
passes the information about the supplicant system to the authenticator system.
The authenticator system in turn determines the state (authorized or unauthorized)
of the controlled port according to the instructions (accept or reject) received from
the RADIUS server.
1.1.3 Encapsulation of EAPoL Messages
I. The format of an EAPoL packet
EAPoL is a packet encapsulation format defined in 802.1x. To enable EAP protocol
packets to be transmitted between supplicant systems and authenticator systems
through LANs, EAP protocol packets are encapsulated in EAPoL format. The following
figure illustrates the structure of an EAPoL packet.
Figure 1-3
The format of an EAPoL packet
In an EAPoL packet:
z
The PAE Ethernet type field holds the protocol identifier. The identifier for 802.1x
is 0x888E.
z
The Protocol version field holds the version of the protocol supported by the
sender of the EAPoL packet.
z
The Type field can be one of the following: