Extensible Authentication Protocol (EAP) over LAN (EAPoL) is a network port authentication protocol used in IEEE 802.1X (Port Based Network Access Control) developed to give a generic network sign-on to access network resources.
EAPoL, similar to EAP, is a simple encapsulation that can run over any LAN. The same three main components are defined in EAP and EAPoL to accomplish the authentication conversation. The figure shows how these LAN components are connected in a wired environment.
- Supplicant (Port Authentication Entity (PAE) seeking access to network resources)
- Authenticator (PAE that controls network access)
- Authentication Server (a RADIUS/AAA server)
EAPoL Frame Format
|MAC Header||Ethernet Type||Version||Packet Type||Packet Body Length||Packet Body||Frame Check Sequence|
|12 bytes||2 bytes||1 byte||1 byte||2 bytes||variable length||4 bytes|
The fields in the frame are:
The first 6 bytes of the MAC header are the Destination Address and the last 6 bytes are the Source Address.
The Ethernet Type contains a 88-8e, this is the two byte type code assigned to EAPoL.
In 2004 Version 2 was standardized, nothing has been satandardized since.
The Packet Type field is a byte long and represents the type of package the frame is.
|0000 0000||EAP-Packet||Contains an encapsulated EAP frame (this is what majority of EAPoL frames are)|
|0000 0001||EAPOL-Start||A supplicant can issue an EAPOL-Start fram instead of waiting for a challenge from the|
|0000 0010||EAPOL-Logoff||Used to return the state of the port to unauthorized when the supplicant is finished using the|
|0000 0011||EAPOL-Key||Used to exchange Cryptographic Keying information|
|0000 0100||EAPOL-Encapsulated-ASF-Alert||Provided as a method of allowing Alerting Standards Forum (ASF) alerts (ex. specific SNMP traps) to be forwarded through a port that is in the Unauthorized state|
|All other possible values are reserved for future use|
Packet Body Length
The Packet Body Length field is a 2 byte value representing packet body length (It is set to 0 when there is no packet body)
The Length field is two bytes long and contains the number of bytes in the entire packet. EAP assumes anything in excess of the Length is padding that can be ignored.
Frame Check Sequence
The Frame Check Sequence (FCS) is checksum value added to the frame for error detection and correction. A sample of a typical EAPoL exchange is shown in following figure.