Home > Articles > Cisco Network Technology > Security > EAP Authentication Protocols for WLANs

EAP Authentication Protocols for WLANs

Chapter Description

This chapter examines the authentication methods: EAP, PEAP, LEAP, and the newer, emerging paradigm EAP-FAST, and weighs the pros and cons of each, in terms of standardization maturity and effectiveness.

From the Book

Cisco Wireless LAN Security

Cisco Wireless LAN Security


802.1x: Introduction and General Principles

As you have seen, the EAP and other methods are primarily developed for dial-up connections; therefore, there are no link layer protocols for them in the 802 LAN worlds. You cannot arbitrarily open up a TCP port and start sending EAP data. That is where 802.1x comes in. It provides a set of context (such as port and supplicant), state machines between the various layers, and the EAP over LAN (EAPOL) protocol. Of course, 802.1x is not specific to WLANS; in fact, the standard is being used in wired networks successfully. 802.1x provides the access models, whereas EAP adds the authentication mechanisms.

The 802.1x specification starts with the concept of a port as single entry into a network for a supplicant. Hence, it covers 802.3 networks while considering a shared medium like the classical token ring out of scope. In fact, the 802.1x defines EAPOL only for 802.3 Ethernet MACs and Token Ring/FDDI MACs. As previously shown, this plays well with the 802.11 in which each client can be associated with only one AP; hence, the connection to an AP is analogous to the port in the 802.1x realm.

A controlled port is one that allows access after a successful authentication. A controlled port probably offers all the network services. The concept of an uncontrolled port also exists and is important because initial messages and authentication services would be offered through an uncontrolled port. Usually only minimal administrative services are offered by an uncontrolled port.


EAP encapsulation over LAN (EAPOL) is the method to transport EAP packets between a supplicant and an authenticator directly by a LAN MAC service. Figure 7-16 shows the MAC Protocol Data Unit (MPDU) for Ethernet. The header fields include Ethernet type, protocol version, packet type, and body length.

Figure 16Figure 7-16 EAPOL MPDU for 802.3/Ethernet

The body itself is the EAP packet you saw in earlier sections dealing with EAP.

As you might have guessed by now, a supplicant can initiate an authentication by the EAPOL-start frame. But usually a port in an authenticator becomes active (by a connection from a client), and the authenticator starts the EAP process, usually by an EAP-request-identity message encapsulated as EAP type in the EAPOL packet type field. One important packet type is the EAPOL-logoff from a supplicant to the authenticator. In the 802.11 world, this ends an association.

802.1x deals extensively with state machines, timers, handoff between the various layers, and port access control MIBs for SNMP. You can best understand these concepts by reading the standard.

4. Cisco LEAP (EAP-Cisco Wireless) | Next Section Previous Section