Handbook
Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here. 41
The following figure shows a typical message exchange initiated by the client.
Figure 2 Using EAPoL to authenticate a port
EAPoL Message Exchange
During authentication, EAPOL messages are exchanged between the client and the switch authenticator,
while RADIUS-EAP messages are exchanged between the switch authenticator and the Radius
authentication server.
Authentication is initiated by one of the following methods:
Switch authenticator sends an EAP-Request/Identity packet to the client.
Client sends an EAPOL-Start frame to the switch authenticator, which responds with an EAP-
Request/Identity frame.
The client confirms its identity by sending an EAP-Response/Identity frame to the switch authenticator,
which forwards the frame encapsulated in a RADIUS packet to the server.
The Radius server chooses an EAP-supported authentication algorithm to verify the client‘s identity, and
sends an EAP-Request packet to the client via the switch authenticator. The client then replies to the
Radius server with an EAP-Response containing its credentials.
Upon a successful authentication of the client by the server, the 802.1x-controlled port transitions from
unauthorized to authorized state, and the client is allowed full access to services through the controlled
port. When the client later sends an EAPOL-Logoff message to the switch authenticator, the port
transitions from authorized to unauthorized state.
If a client that does not support 802.1x connects to an 802.1x-controlled port, the switch authenticator
requests the client's identity when it detects a change in the operational state of the port. The client does
not respond to the request, and the port remains in the unauthorized state.
Switch