Eapol (Eap Over Lan) - ZyXEL Communications XS3800-28 User Manual
28-port 10gbe l3 managed switch
Hide thumbs
Also See for XS3800-28:
- User manual (789 pages) ,
- Cli reference manual (407 pages) ,
- Quick start manual (2 pages)
Table of Contents
Advertisement
Chapter 18 Port Authentication
With EAP-TLS, digital certifications are needed by both the server and the wired clients for mutual
authentication. The server presents a certificate to the client. After validating the identity of the server,
the client sends a different certificate to the server. The exchange of certificates is done in the open
before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital
certificate is an electronic ID card that authenticates the sender's identity. However, to implement
EAPTLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management
overhead.
• EAP-TTLS (Tunneled Transport Layer Service)
EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side
authentications to establish a secure connection. Client authentication is then done by sending user
name and password through the secure connection, thus client identity is protected. For client
authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP,
MS-CHAP and MS-CHAP v2.
• PEAP (Protected EAP)
Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use
simple user name and password methods through the secured connection to authenticate the clients,
thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2
and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by
Cisco.
• LEAP
LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x.
18.7.4 EAPOL (EAP over LAN)
EAPOL is a port authentication protocol used in IEEE 802.1x. It encapsulates and sends EAP packets from
the LAN. EAPOL exchanges the following messages between a wired client and switch.
• EAPOL-Start
A wired client will send this message to a switch to let it know the wired client is ready.
• EAPOL-Key
The switch will send an encryption key to the wired client. It will be allowed access to the network when
both of the switch and wired client have the correct encryption keys.
• EAP-Packet
Both of the wired client and the switch will send this message to complete the authentication process.
• EAPOL-Logoff
This message will be sent when the wired client wants to be disconnected from the network.
• EAPOL-Encapsulated-ASF-Alert
This message is sent If the authentication process is not completed yet, and alerts needs to be
forwarded.
XS3800-28 User's Guide
249
Advertisement
Table of Contents
Troubleshooting
