Chapter 76 Port Authentication
XGS2220 Series User’s Guide
529
EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side
authentications to establish a secure connection. Client authentication is then done by sending user
name and password through the secure connection, thus client identity is protected. For client
authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP,
MS-CHAP and MS-CHAP v2.
• PEAP (Protected EAP)
Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use
simple user name and password methods through the secured connection to authenticate the clients,
thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2
and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by
Cisco.
• LEAP
LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x.
76.6.4 EAPOL (EAP over LAN)
EAPOL is a port authentication protocol used in IEEE 802.1x. It encapsulates and sends EAP packets from
the LAN. EAPOL exchanges the following messages between a wired client and switch.
• EAPOL-Start
A wired client will send this message to a switch to let it know the wired client is ready.
• EAPOL-Key
The switch will send an encryption key to the wired client. It will be allowed access to the network when
both of the switch and wired client have the correct encryption keys.
• EAP-Packet
Both of the wired client and the switch will send this message to complete the authentication process.
• EAPOL-Logoff
This message will be sent when the wired client wants to be disconnected from the network.
• EAPOL-Encapsulated-ASF-Alert
This message is sent If the authentication process is not completed yet, and alerts needs to be
forwarded.