EAPoL Message Exchange
112
G8264CS Application Guide for ENOS 8.4
During authentication, EAPOL messages are exchanged between the client and the
G8264CS authenticator, while RADIUS‐EAP messages are exchanged between the
G8264CS authenticator and the RADIUS server.
Authentication is initiated by one of the following methods:
The G8264CS authenticator sends an EAP‐Request/Identity packet to the client
The client sends an EAPOL‐Start frame to the G8264CS authenticator, which
responds with an EAP‐Request/Identity frame.
The client confirms its identity by sending an EAP‐Response/Identity frame to the
G8264CS authenticator, which forwards the frame encapsulated in a RADIUS
packet to the server.
The RADIUS authentication server chooses an EAP‐supported authentication
algorithm to verify the client's identity, and sends an EAP‐Request packet to the
client via the G8264CS authenticator. The client then replies to the RADIUS server
with an EAP‐Response containing its credentials.
Upon a successful authentication of the client by the server, the 802.1X‐controlled
port transitions from unauthorized to authorized state, and the client is allowed
full access to services through the controlled port. When the client later sends an
EAPOL‐Logoff message to the G8264CS authenticator, the port transitions from
authorized to unauthorized state.
If a client that does not support 802.1X connects to an 802.1X‐controlled port, the
G8264CS authenticator requests the clientʹs identity when it detects a change in the
operational state of the port. The client does not respond to the request, and the
port remains in the unauthorized state.
Note: When an 802.1X‐enabled client connects to a port that is not
802.1X‐controlled, the client initiates the authentication process by sending an
EAPOL‐Start frame. When no response is received, the client retransmits the
request for a fixed number of times. If no response is received, the client assumes
the port is in authorized state, and begins sending frames, even if the port is
unauthorized.