802.1x authentication process
The clients and authenticators communicate using Extensible Authentication Protocol (EAP), which was
originally designed to run over PPP, and for which the IEEE 802.1x Standard has defined an
encapsulation method over Ethernet frames, called EAP over LAN (EAPOL).
The following figure shows a typical message exchange initiated by the client.
Using EAPoL to authenticate a port
EAPoL Message Exchange
During authentication, EAPOL messages are exchanged between the client and the switch authenticator,
while RADIUS-EAP messages are exchanged between the switch authenticator and the Radius
Authentication is initiated by one of the following methods:
Switch authenticator sends an EAP-Request/Identity packet to the client.
Client sends an EAPOL-Start frame to the switch authenticator, which responds with an EAP-
The client confirms its identity by sending an EAP-Response/Identity frame to the switch authenticator,
which forwards the frame encapsulated in a RADIUS packet to the server.
Port-based Network Access and traffic control