EAPoL Message Exchange
EAPoL Port States
116
CN4093 Application Guide for N/OS 8.4
During authentication, EAPOL messages are exchanged between the client and the
CN4093 authenticator, while RADIUS‐EAP messages are exchanged between the
CN4093 authenticator and the RADIUS server.
Authentication is initiated by one of the following methods:
The CN4093 authenticator sends an EAP‐Request/Identity packet to the client
The client sends an EAPOL‐Start frame to the CN4093 authenticator, which
responds with an EAP‐Request/Identity frame.
The client confirms its identity by sending an EAP‐Response/Identity frame to the
CN4093 authenticator, which forwards the frame encapsulated in a RADIUS
packet to the server.
The RADIUS authentication server chooses an EAP‐supported authentication
algorithm to verify the client's identity, and sends an EAP‐Request packet to the
client via the CN4093 authenticator. The client then replies to the RADIUS server
with an EAP‐Response containing its credentials.
Upon a successful authentication of the client by the server, the 802.1X‐controlled
port transitions from unauthorized to authorized state, and the client is allowed
full access to services through the controlled port. When the client later sends an
EAPOL‐Logoff message to the CN4093 authenticator, the port transitions from
authorized to unauthorized state.
If a client that does not support 802.1X connects to an 802.1X‐controlled port, the
CN4093 authenticator requests the clientʹs identity when it detects a change in the
operational state of the port. The client does not respond to the request, and the
port remains in the unauthorized state.
Note: When an 802.1X‐enabled client connects to a port that is not
802.1X‐controlled, the client initiates the authentication process by sending an
EAPOL‐Start frame. When no response is received, the client retransmits the
request for a fixed number of times. If no response is received, the client assumes
the port is in authorized state, and begins sending frames, even if the port is
unauthorized.
The state of the port determines whether the client is granted access to the network,
as follows:
Unauthorized
While in this state the port discards all ingress and egress traffic except EAP
packets.
Authorized
When the client is successfully authenticated, the port transitions to the
authorized state allowing all traffic to and from the client to flow normally.
Force Unauthorized
You can configure this state that denies all access to the port.
Force Authorized
You can configure this state that allows full access to the port.