EAP over RADIUS
Two attributes of RADIUS are intended for supporting EAP authentication: EAP-Message and
Message-Authenticator. For information about RADIUS packet format, refer to AAA Configuration in the
The EAP-Message attribute is used to encapsulate EAP packets.
format. The value of the Type field is 79. The String field can be up to 253 bytes. If the EAP packet is
longer than 253 bytes, it can be fragmented and encapsulated into multiple EAP-Message attributes.
Figure 1-5 Encapsulation format of the EAP-Message attribute
shows the encapsulation format of the Message-Authenticator attribute. The
Message-Authenticator attribute is used to prevent access requests from being snooped during EAP
authentication. It must be included in any packet with the EAP-Message attribute; otherwise, the packet
will be considered invalid and get discarded.
Figure 1-6 Encapsulation format of the Message-Authenticator attribute
802.1X Authentication Triggering
802.1X authentication can be initiated by either a client or the device.
Unsolicited triggering of a client
A client initiates authentication by sending an EAPOL-Start frame to the device. The destination
address of the frame is 01-80-C2-00-00-03, the multicast address specified by the IEEE 802.1X
Some devices in the network may not support multicast packets with the above destination address,
causing the authentication device unable to receive the authentication request of the client. To solve the
problem, the device also supports EAPOL-Start frames whose destination address is a broadcast MAC
address. In this case, the iNode 802.1X client is required.
Unsolicited triggering of the device
The device can trigger authentication by sending EAP-Request/Identity packets to unauthenticated
clients periodically (every 30 seconds by default). This method can be used to authenticate clients
which cannot send EAPOL-Start frames and therefore cannot trigger authentication, for example, the
802.1X client provided by Windows XP.
shows its encapsulation