1-3The Mechanism of an 802.1x Authentication SystemIEEE 802.1x authentication uses the extensible authentication protocol (EAP) to exchange informationbetween supplicant systems and the authentication servers. To be compatible with 802.1X in a LANenvironment, the client program must support the Extensible Authentication Protocol over LAN(EAPoL).Figure 1-2 The mechanism of an 802.1x authentication systemz EAP protocol packets transmitted between the supplicant system PAE and the authenticatorsystem PAE are encapsulated as EAPoL packets.z EAP protocol packets transmitted between the authenticator system PAE and the RADIUS servercan either be encapsulated as EAP over RADIUS (EAPoR) packets or be terminated at systemPAEs. The system PAEs then communicate with RADIUS servers through passwordauthentication protocol (PAP) or challenge-handshake authentication protocol (CHAP) packets.z When a supplicant system passes the authentication, the authentication server passes theinformation about the supplicant system to the authenticator system. The authenticator system inturn determines the state (authorized or unauthorized) of the controlled port according to theinstructions (accept or reject) received from the RADIUS server.Encapsulation of EAPoL MessagesThe format of an EAPoL packetEAPoL is a packet encapsulation format defined in 802.1x. To enable EAP protocol packets to betransmitted between supplicant systems and authenticator systems through LANs, EAP protocolpackets are encapsulated in EAPoL format. The following figure illustrates the structure of an EAPoLpacket.Figure 1-3 The format of an EAPoL packetIn an EAPoL packet:z The PAE Ethernet type field holds the protocol identifier. The identifier for 802.1x is 0x888E.z The Protocol version field holds the version of the protocol supported by the sender of the EAPoLpacket.z The Type field can be one of the following:00: Indicates that the packet is an EAP-packet, which carries authentication information.01: Indicates that the packet is an EAPoL-start packet, which initiates the authentication.02: Indicates that the packet is an EAPoL-logoff packet, which sends logging off requests.