Manual
+7(495) 797-3311 www.qtech.ru
Москва, Новозаводская ул., 18, стр. 1
324
40.1.4 The Encapsulation of EAP Attributes
RADIUS adds two attribute to support EAP authentication: EAP-Message and Message-
Authenticator. Please refer to the Introduction of RADIUS protocol in “AAA-RADIUS-
HWTACACS operation” to check the format of RADIUS messages.
1. EAP-Message
As illustrated in the next figure, this attribute is used to encapsulate EAP packet, the type code
is 79, String domain should be no longer than 253 bytes. If the data length in an EAP packet is
larger than 253 bytes, the packet can be divided into fragments, which then will be
encapsulated in several EAP-Messages attributes in their original order.
the Encapsulation of EAP-Message Attribute
2. Message-Authenticator
As illustrated in the next figure, this attribute is used in the process of using authentication
methods like EAP and CHAP to prevent the access request packets from being eavesdropped.
Message-Authenticator should be included in the packets containing the EAP-Message
attribute, or the packet will be dropped as an invalid one.
Message-Authenticator Attribute
40.1.5 The Authentication Methods of 802.1x
The authentication can either be started by supplicant system initiatively or by devices. When
the device detects unauthenticated users to access the network, it will send supplicant system
EAP-Request/Identity messages to start authentication. On the other hand, the supplicant
system can send EAPOL-Start message to the device via supplicant software.
802.1 x systems supports EAP relay method and EAP termination method to implement
authentication with the remote RADIUS server. The following is the description of the process
of these two authentication methods, both started by the supplicant system.