ProLiant BL p-Class GbE2 Interconnect Switch Application Guide
Port-based Network Access and traffic control 41
The following figure shows a typical message exchange initiated by the client.
Figure 2 Using EAPoL to authenticate a port
EAPoL Message Exchange
During authentication, EAPOL messages are exchanged between the client and the switch authenticator, while
RADIUS-EAP messages are exchanged between the switch authenticator and the Radius authentication server.
Authentication is initiated by one of the following methods:
Switch authenticator sends an EAP-Request/Identity packet to the client.
Client sends an EAPOL-Start frame to the switch authenticator, which responds with an EAP-Request/Identity
frame.
The client confirms its identity by sending an EAP-Response/Identity frame to the switch authenticator, which
forwards the frame encapsulated in a RADIUS packet to the server.
The Radius server chooses an EAP-supported authentication algorithm to verify the client’s identity, and sends an
EAP-Request packet to the client via the switch authenticator. The client then replies to the Radius server with an
EAP-Response containing its credentials.
Upon a successful authentication of the client by the server, the 802.1x-controlled port transitions from
unauthorized to authorized state, and the client is allowed full access to services through the controlled port.
When the client later sends an EAPOL-Logoff message to the switch authenticator, the port transitions from
authorized to unauthorized state.