Extensible Authentication Protocol (EAP) over LAN (EAPoL) is a network port authentication protocol used in IEEE 802.1X (Port Based Network Access Control) developed to give a generic network sign-on to access network resources.

EAPoL Architecture

EAPoL Architecture
EAPoL, similar to EAP, is a simple encapsulation that can run over any LAN. The same three main components are defined in EAP and EAPoL to accomplish the authentication conversation. The figure shows how these LAN components are connected in a wired environment.

  1. Supplicant (Port Authentication Entity (PAE) seeking access to network resources)
  2. Authenticator (PAE that controls network access)
  3. Authentication Server (a RADIUS/AAA server)

EAPoL Frame Format

MAC HeaderEthernet TypeVersionPacket TypePacket Body LengthPacket BodyFrame Check Sequence
12 bytes2 bytes1 byte1 byte2 bytesvariable length4 bytes

The fields in the frame are:

MAC Header

The first 6 bytes of the MAC header are the Destination Address and the last 6 bytes are the Source Address.

Ethernet Type

The Ethernet Type contains a 88-8e, this is the two byte type code assigned to EAPoL.

Version

In 2004 Version 2 was standardized, nothing has been satandardized since.

Packet Type

The Packet Type field is a byte long and represents the type of package the frame is.

Packet TypeNameDescription
0000 0000EAP-PacketContains an encapsulated EAP frame (this is what majority of EAPoL frames are)
0000 0001EAPOL-StartA supplicant can issue an EAPOL-Start fram instead of waiting for a challenge from the
authenticator
0000 0010EAPOL-LogoffUsed to return the state of the port to unauthorized when the supplicant is finished using the
network
0000 0011EAPOL-KeyUsed to exchange Cryptographic Keying information
0000 0100EAPOL-Encapsulated-ASF-AlertProvided as a method of allowing Alerting Standards Forum (ASF) alerts (ex. specific SNMP traps) to be forwarded through a port that is in the Unauthorized state
All other possible values are reserved for future use

Packet Body Length

The Packet Body Length field is a 2 byte value representing packet body length (It is set to 0 when there is no packet body)

Packet Body

The Length field is two bytes long and contains the number of bytes in the entire packet. EAP assumes anything in excess of the Length is padding that can be ignored.

Frame Check Sequence

The Frame Check Sequence (FCS) is checksum value added to the frame for error detection and correction. A sample of a typical EAPoL exchange is shown in following figure.

IEEE 802.1X not only defines the EAP over LAN (EAPoL) implementation, but also the EAP over Wireless (EAPoW) for use with IEEE 802.11 for getting WEP key information.
supported-platforms