802.1x: Introduction and General Principles

As you have seen, the EAP and other methods are primarily developed for dial-up connections; therefore, there are no link layer protocols for them in the 802 LAN worlds. You cannot arbitrarily open up a TCP port and start sending EAP data. That is where 802.1x comes in. It provides a set of context (such as port and supplicant), state machines between the various layers, and the EAP over LAN (EAPOL) protocol. Of course, 802.1x is not specific to WLANS; in fact, the standard is being used in wired networks successfully. 802.1x provides the access models, whereas EAP adds the authentication mechanisms.


The 802.1x specification is clear about what 802.1x does and does not do. It provides a framework but does not specify the information (credentials and other challenge-response artifacts) or the basis of authentication (such as how to authenticate, what information is used to authenticate, how the decisions are made, and what authorizations are allowed as a result of the authentication).

The 802.1x specification starts with the concept of a port as single entry into a network for a supplicant. Hence, it covers 802.3 networks while considering a shared medium like the classical token ring out of scope. In fact, the 802.1x defines EAPOL only for 802.3 Ethernet MACs and Token Ring/FDDI MACs. As previously shown, this plays well with the 802.11 in which each client can be associated with only one AP; hence, the connection to an AP is analogous to the port in the 802.1x realm.

A controlled port is one that allows access after a successful authentication. A controlled port probably offers all the network services. The concept of an uncontrolled port also exists and is important because initial messages and authentication services would be offered through an uncontrolled port. Usually only minimal administrative services are offered by an uncontrolled port.


EAP encapsulation over LAN (EAPOL) is the method to transport EAP packets between a supplicant and an authenticator directly by a LAN MAC service. Figure 7-16 shows the MAC Protocol Data Unit (MPDU) for Ethernet. The header fields include Ethernet type, protocol version, packet type, and body length.

Figure 7-16. EAPOL MPDU for 802.3/Ethernet

The body itself is the EAP packet you saw in earlier sections dealing with EAP.


For the Token Ring/FDDI, the MPDU header is 12 bytes long with the first field SNAP-encoded Ethernet type.

As you might have guessed by now, a supplicant can initiate an authentication by the EAPOL-start frame. But usually a port in an authenticator becomes active (by a connection from a client), and the authenticator starts the EAP process, usually by an EAP-request-identity message encapsulated as EAP type in the EAPOL packet type field. One important packet type is the EAPOL-logoff from a supplicant to the authenticator. In the 802.11 world, this ends an association.

802.1x deals extensively with state machines, timers, handoff between the various layers, and port access control MIBs for SNMP. You can best understand these concepts by reading the standard.