Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

EAP over lan (EAPOL)

Hi every body!

I was reading about EAPOL and found the follwing on a link. Is it true that EAPOL is used for wireless as well?

"The key protocol in 802.1x is called EAP over LANs (EAPOL). It is currently defined for Ethernet-like LANs including 802.11 wireless, as well as token ring LANs (including FDDI)"

2)There are different EAPOL frames:

EAPOL-start,EAP-logoff,EAPOL-key, EAPOL_encapsulated -asf-alert.

What function EAPOL-key performs?

thanks a lot!

Here what i find about EAPOL_encapsulated -asf-alert.

"the ASF Alert EAP packet type allows for things like SNMP traps to be sent through a port where the authentication resulted in an Unauthorized state"

Who sends this alert? authenticator or supplicant? If authenticator sends this frame then whom does it send? SNMP management console? how as EAPOL only works between authenticator and supplicant.

thanks a lot!

1 REPLY
Silver

Re: EAP over lan (EAPOL)

The keys used for encryption are derived from the PMK that has been mutually derived during the EAP authentication section. This PMK is sent to the authenticator in the EAP success message, but is not forwarded to the supplicant because the supplicant has derived its own copy of the PMK.

1. The authenticator sends an EAPOL-Key frame containing an authenticator nonce (ANonce), which is a random number generated by the authenticator.

a. The supplicant derives a PTK from the ANonce and supplicant nonce (SNonce), which is a random number generated by the client/supplicant.

2. The supplicant sends an EAPOL-Key frame containing an SNonce, the RSN information element from the (re)association request frame, and an MIC.

a. The authenticator derives a PTK from the ANonce and SNonce and validates the MIC in the EAPOL-Key frame.

3. The authenticator sends an EAPOL-Key frame containing the ANonce, the RSN information element from its beacon or probe response messages; the MIC, determining whether to install the temporal keys; and the encapsulated group temporal key (GTK), the multicast encryption key.

4. The supplicant sends an EAPOL-Key frame to confirm that the temporal keys are installed.

864
Views
0
Helpful
1
Replies