Thanks Jon!

h--sw---- radius server

host is configured to use md5-challenge, now how would radius determine what eap method to use to authenticate host? Does host send some message to radius server indicating the type of eap method, to be used to authenticate itself?

Sarah

The EAP packet contains a type field which specifies the authentication method the client wants to use. See this link for relevant types -

http://www.networksorcery.com/enp/protocol/eap.htm

Jon

Thanks Jon!

I already read that link before i posted my question.

The two types , i am focused on, are request and response.

Does client send request indicating what EAp method to be used to radius server?

My book shows the following

The backend authentication server send request, asking for its id. Then peer send response back. My point " identity is itslef is EAp method with code 1.

So how does backend authentication server determines that it has to use" identity" to authenticate the peer?

Thanks a lot!

Sarah

Identity is the most common first message sent by the authentication server to the client. The client then responds with it's identity.

Then the server challenges the client. Now i can only speak from an ACS perspective but when you configure ACS you setup the types of EAP the authentication server supports eg. EAP-TLS, EAP-MD5 etc.

The server uses one of these to challenge the client. I know you will ask but i'm not 100% sure which one the server picks if it has multiple options but it doesn't matter. Remember the client has also been set up to use a particular EAP method.

So lets say the server sends a challenge to the client using EAP-MD5 but the client is setup to use EAP-TLS. The client will send a EAP NACK back to the server, in effect saying it does not use EAP-MD5. But within that EAP-NACK packet the client will also indicate what it does want to use.

If the server supports the clients method then the server challenges the client using this method.

Note if the server picks the right method first time then there is no need for the client to send a NACK.

Jon

hi Jon

"Identity is the most common first message sent by the authentication server to the client. The client then responds with it's identity"

But according to the folowing link, authenticator sends the identity request to client.

http://news.bbc.co.uk/go/rss/-/2/hi/default.stm

"In an authenticator-initiated port authorization, a client is powered up or plugs into the port, and the authenticator port sends an Extensible Authentication Protocol (EAP) PDU to the supplicant requesting the identification of the supplicant"

-------------------------------------------

"Then the server challenges the client. Now i can only speak from an ACS perspective but when you configure ACS you setup the types of EAP the authentication server supports eg. EAP-TLS, EAP-MD5 etc.

"The server uses one of these to challenge the client. I know you will ask but i'm not 100% sure which one the server picks if it has multiple options but it doesn't matter"

I was reading about it on a link. i found out that authentication server( radius in our case) is also configured with particular eap method to authenticate a particular client.So radius won't spend time figuring out which method the client probably be using. When radius server gets the user identity, it checks into user profile file to find the Eap method to authenticate the client.

I am trying to find answers for the following questions but find so much conflicting material on different links.

EAPOL is used to carry EAP frames on ethernet.

There are different types of EAPOL.

EAPOL start.

EAPOL encapsulated -asf-alert.

what is the purpose of EAPOL start? when is this frame sent?

EAPOL -encapsulted-ASf alert:" The ASF Alert EAP packet type allows for things like SNMP traps to be sent through a port where the authentication resulted in an Unauthorized state"

who sends that frame? client or authenticator?

I t appears to me it is the client who sends that frame based on the wording above.

Then i was reading about EAPOW( eap over wireless)

I can not find any link describing the frame formats and its kind. Could you please send me some good link? ( of course be ready for questions later :-)

Thanks a lot!