
packet captures. The Supplicant and the Authenticator have a physical
conversation, and the Authenticator and the Authentication Server have a
physical conversation. Both of these conversations can be seen as data
transfers. The physical conversations actually support the exchange of
credential information between the Supplicant and the Authentication
Server. This is the entirely logical conversation. The key point here is that
the Supplicant can converse only with the Authenticator. Thus, the
Authenticator actually acts as a translator between the Supplicant and the
Authentication Server.
This means that there are several protocols implemented to support this
authentication system. Each of the conversations, either physical or logical,
must be supported by at least one distinct protocol. The three conversa-
tions—and all the protocols employed—are commonly called 802.1X; but,
in truth, only the physical conversation between the Authenticator and the
Supplicant is 802.1X—EAPOL. The physical communication between the
Authentication Server and the Authenticator is conducted using the RADIUS
protocol. The logical conversation between the Authentication Server and
the Supplicant is conducted using EAP and EAP-Methods.
What is EAP? EAP was created to be implemented in the Point-To-Point
(PPP) protocol. PPP is a protocol used for communication taking place on a
serial link—usually a leased telephone line. At first glance, it would seem
that a serial protocol and a LAN protocol are entirely different animals and
would not have much in common. Generally, this is true. However, the
specifications for EAP are almost philosophical in nature and only require
the topology be a Point-to-Point connection. If you look at a single
connection on a switched LAN, or an association in wireless environments,
then you will see that they have strong Point-to-Point characteristics. Point-
to-Point characteristics are fundamental in the concept of EAP. As long as
those characteristics are present, then it is relatively simple to utilize EAP.
This can be accomplished with a Layer 2 encapsulation—EAPOL—in a
switched LAN. The result is 802.1X.
What is an EAP-Method then? An EAP-Method is the way in which a
particular authentication is conducted. In a sense, an EAP-Method is an
authentication. Parsing EAP-Method into EAP and Method makes it a little
easier to understand. It is a particular Method used to execute an
authentication utilizing EAP as a transport mechanism. EAP-Methods are
defined for various ways to authenticate. There are many methods that have
been defined. Some utilize certificates, others use Username/Password, and
some are methods of tunneling information between the Supplicant and the
Authentication Server. However diverse they become, each and every one
will always be encapsulated in EAP between the Supplicant and the
Authenticator.
EAP, again, is a protocol defined to function within the PPP suite. 802.1X
leverages the topology of PPP and assumes a simple architecture of a single
device connecting to a single port on a network. A single Supplicant
Overview
&
5
q 2006 by Taylor & Francis Group, LLC