Value
0x02
Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or
•
EAPOL-Logoff, this field is set to 0, and no Packet body field follows.
Packet body—Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet body
•
field contains an EAP packet.
EAP over RADIUS
RADIUS adds two attributes, EAP-Message and Message-Authenticator, for supporting EAP
authentication. For the RADIUS packet format, see
EAP-Message
RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in
takes 79, and the Value field can be up to 253 bytes. If an EAP packet is longer than 253 bytes, RADIUS
encapsulates it in multiple EAP-Message attributes.
Figure 25 EAP-Message attribute format
Message-Authenticator
RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute
to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum
is different from the Message-Authenticator attribute value. The Message-Authenticator prevents EAP
authentication packets from being tampered with during EAP authentication.
Figure 26 Message-Authenticator attribute format
Initiating 802.1X authentication
Both the 802.1X client and the access device can initiate 802.1X authentication.
802.1X client as the initiator
The client sends an EAPOL-Start packet to the access device to initiate 802.1X authentication. The
destination MAC address of the packet is the IEEE 802.1X specified multicast address
01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and
the authentication server does not support the multicast address, you must use an 802.1X client (for
example, the HP iNode 802.1X client) that can send broadcast EAPOL-Start packets.
Type
EAPOL-Logoff
Description
The client sends an EAPOL-Logoff message to tell the network access
device that it is logging off.
"Configuring
60
AAA."
Figure
25. The Type field