EAP ,peer and authenticator

Answered Question
Jan 28th, 2009

Hi every body!

Let say host is connected to switch.

Backend authenticator is implemented on the switch as well. So switch is acting as authenticator and backend authenticator server as well.

Host(peer) is configured with MD5-challlange (EAP method)

Now how would sw determine which EAP method to use to authenticate the peer(host)?

thanks a lot!

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 10 months ago

Sarah

The switch does not determine the type of EAP being used. All the switch needs to support is Network EAP. Which type of EAP is irrelevant to the switch, it simply passes the EAP messages on to the radius server.

It is the client and the radius server where the intelligence with EAP is needed.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 01/28/2009 - 12:47

Sarah

The switch does not determine the type of EAP being used. All the switch needs to support is Network EAP. Which type of EAP is irrelevant to the switch, it simply passes the EAP messages on to the radius server.

It is the client and the radius server where the intelligence with EAP is needed.

Jon

sarahr202 Wed, 01/28/2009 - 13:12

Thanks Jon!

h--sw---- radius server

host is configured to use md5-challenge, now how would radius determine what eap method to use to authenticate host? Does host send some message to radius server indicating the type of eap method, to be used to authenticate itself?

sarahr202 Wed, 01/28/2009 - 13:52

Thanks Jon!

I already read that link before i posted my question.

The two types , i am focused on, are request and response.

Does client send request indicating what EAp method to be used to radius server?

My book shows the following

The backend authentication server send request, asking for its id. Then peer send response back. My point " identity is itslef is EAp method with code 1.

So how does backend authentication server determines that it has to use" identity" to authenticate the peer?

Thanks a lot!

Jon Marshall Wed, 01/28/2009 - 14:58

Sarah

Identity is the most common first message sent by the authentication server to the client. The client then responds with it's identity.

Then the server challenges the client. Now i can only speak from an ACS perspective but when you configure ACS you setup the types of EAP the authentication server supports eg. EAP-TLS, EAP-MD5 etc.

The server uses one of these to challenge the client. I know you will ask but i'm not 100% sure which one the server picks if it has multiple options but it doesn't matter. Remember the client has also been set up to use a particular EAP method.

So lets say the server sends a challenge to the client using EAP-MD5 but the client is setup to use EAP-TLS. The client will send a EAP NACK back to the server, in effect saying it does not use EAP-MD5. But within that EAP-NACK packet the client will also indicate what it does want to use.

If the server supports the clients method then the server challenges the client using this method.

Note if the server picks the right method first time then there is no need for the client to send a NACK.

Jon

sarahr202 Thu, 01/29/2009 - 11:43

hi Jon

"Identity is the most common first message sent by the authentication server to the client. The client then responds with it's identity"

But according to the folowing link, authenticator sends the identity request to client.

http://news.bbc.co.uk/go/rss/-/2/hi/default.stm

"In an authenticator-initiated port authorization, a client is powered up or plugs into the port, and the authenticator port sends an Extensible Authentication Protocol (EAP) PDU to the supplicant requesting the identification of the supplicant"

-------------------------------------------

"Then the server challenges the client. Now i can only speak from an ACS perspective but when you configure ACS you setup the types of EAP the authentication server supports eg. EAP-TLS, EAP-MD5 etc.

"The server uses one of these to challenge the client. I know you will ask but i'm not 100% sure which one the server picks if it has multiple options but it doesn't matter"

I was reading about it on a link. i found out that authentication server( radius in our case) is also configured with particular eap method to authenticate a particular client.So radius won't spend time figuring out which method the client probably be using. When radius server gets the user identity, it checks into user profile file to find the Eap method to authenticate the client.

I am trying to find answers for the following questions but find so much conflicting material on different links.

EAPOL is used to carry EAP frames on ethernet.

There are different types of EAPOL.

EAPOL start.

EAPOL encapsulated -asf-alert.

what is the purpose of EAPOL start? when is this frame sent?

EAPOL -encapsulted-ASf alert:" The ASF Alert EAP packet type allows for things like SNMP traps to be sent through a port where the authentication resulted in an Unauthorized state"

who sends that frame? client or authenticator?

I t appears to me it is the client who sends that frame based on the wording above.

Then i was reading about EAPOW( eap over wireless)

I can not find any link describing the frame formats and its kind. Could you please send me some good link? ( of course be ready for questions later :-)

Thanks a lot!

Actions

This Discussion