8. 802.1X Conversation RADIUS Server (Authentication Server) Ethernet Switch (RADIUS Client) PC_Client (EAP Client/Supplicant) EAP over Ethernet EAPoL Auth Requests & Return Attributes Port-Start EAPoL-Start EAP-Request/Identity EAP-Response/Identity Radius-Access-Request Radius-Access-Challenge EAP-Request (Credentials) EAP-Response (Credentials) Radius-Access-Request Radius-Access-Accept EAP- Success Access to the Network Blocked Access Allowed Switch to Radius Server communication Client to Switch communication
9. 802.1 X Ethernet packet Dest . MAC 0180C200000F* 0180C2000003 Type 8180* 888E Protocol Version 01 Packet Type 6 bytes 6 bytes 2 bytes 1 byte Source MAC 1 byte Packet Body Length 2 bytes Packet Body n bytes 00 EAP-Packet 01 EAPOL-Start * 02 EAPOL-Logoff * 03 EAPOL-Ke y 04 EAPOL-Encapsulated-ASF-Aler t Descriptor Type Key Length Relay Counter Key IV 1 bytes 2 bytes 8 bytes 16 bytes Key Index Key Signature Key 1 bytes n bytes 16 bytes * No packet body field packet body field packet body field * Beta release Code Identifier Length Data 1 byte 1 byte 2 bytes n bytes 1 Request 2 Response 3 Success 4 Failure
48. On the swicth neap supplicant can be checked as below
49. Authentication Feature Ethernet Routing Switch 2500 Ethernet Routing Switch 4500 Ethernet Routing Switch 5500 Ethernet Routing Switch 5600 Ethernet Routing Switch 8300 Single Host Single Authentication (SHSA) – 802.1x Yes Yes Yes Yes Yes Multiple Host Single Authentication (MHSA) – 802.1x Yes Yes Yes Yes Yes Multiple Host Multiple Authentication (MHMA) – 802.1x Yes Yes Yes Yes Yes *Guest VLAN with EAP (GVLAN-SHSA) Yes (4.1.0) Yes Yes (5.0.0) Yes Yes SHSA with Guest VLAN Yes Yes Yes Yes Yes *MHSA with Guest VLAN Yes (4.1.0) Yes (5.1.0) Yes (5.0.0) Yes Future MHMA wit Guest VLAN Yes Yes Yes Yes Yes MAC Based EAP Authentication Yes (4.1.0) Yes (5.1.0) Yes (5.0.0) Yes Yes EAP and Non EAP on same port Yes Yes Yes Yes Yes RADIUS Assigned VLAN in MHMA Yes (4.2.0) Yes (5.1.0) Yes (5.1.0) Yes Yes Non-EAP IP Phone Support Yes (4.2.0) Yes (5.1.0) Yes (5.1.0) Yes No EAP or Non-EAP with Guest VLAN No Yes (5.3.0) No No No EAP or Non-EAP with Fail Open VLAN No Yes(5.3.0) No No No EAP or Non-EAP with VLAN Name No Yes(5.3.0) No No No EAP or Non-EAP Last Assigned VLAN No Yes(5.3.0) No No No Non-EAP use with Wake on LAN No Yes(5.3.0) No No No Policy Support No No Yes Yes No Tagged/Untagged Per VLAN Egress Tagging Yes Yes Yes Yes Yes Tagged and untagged per port Yes Yes Yes Yes Yes Tagging with EAP Yes Yes Yes Yes **Yes
50. *Please note that a device is only put into the Guest VLAN providing another user has not already passed EAP authentication.