Dot1X
EAP-MD5 - It offers minimal security as it only hashes passwords. It only provides authentication of the EAP peer to the EAP server but not mutual authentication.
EAP-TLS - we authenticate using certs but no TLS tunnel is built (up to handshake for TLS) both present certs. The majority of implementations of EAP-TLS require mutual authentication using client-side X.509 certificates without giving the option to disable the requirement, even though the standard does not mandate their use.
EAP-PEAP - we built TLS - server auth only, then we use inner method like MD5 to authenticate.
EAP-FAST - using PAC instead of certs. Protected Access Credential (PAC) is a unique shared credential used to authenticate client and server. Use of server certificates is optional in EAP-FAST. Is to establish a TLS tunnel in which client credentials are verified.
EAPoW (Ethertype 0x888E) Type 00 - EAP-Packet
01 - EAPOL-Start
02 - EAPOL-Logoff
03 - EAPOL-Key
04 - EAPOL-EncapsASF-Alerts
Frame 1: 19 bytes on wire (152 bits), 19 bytes captured (152 bits) on interface \Device\NPF_{62B5A3D6-31C6-4862-83A3-DF3F67D13B89}, id 0
Ethernet II, Src: WistronInfoc_db:c4:32 (f0:de:f1:db:c4:32), Dst: Nearest-non-TPMR-bridge (01:80:c2:00:00:03)
Destination: Nearest-non-TPMR-bridge (01:80:c2:00:00:03)
Source: WistronInfoc_db:c4:32 (f0:de:f1:db:c4:32)
Type: 802.1X Authentication (0x888e) <<< EtherType 0x888E
Trailer: 00
802.1X Authentication
Version: 802.1X-2001 (1)
Type: Start (1) <<< 01 (EAPOL-start)
Length: 0
EAP - Code (for code 00)
01 - Request
02 - Response
03 - Success
04 - Failure
EAP - Type
1 - Identity
2 - Notification
3 - NAK
4 - EAP-MD5
13 - EAP-TLS
17 - LEAP
25 - PEAP
43 - EAP-FAST
EAP:
Frame 2: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface \Device\NPF_{62B5A3D6-31C6-4862-83A3-DF3F67D13B89}, id 0
Ethernet II, Src: Cisco_6f:d4:86 (3c:ce:73:6f:d4:86), Dst: Nearest-non-TPMR-bridge (01:80:c2:00:00:03)
802.1X Authentication
Version: 802.1X-2004 (2)
Type: EAP Packet (0) <<< EAPOL-packet
Length: 5
Extensible Authentication Protocol
Code: Request (1) <<< EAP - request
Id: 1
Length: 5
Type: Identity (1) <<< EAP - identity
EAP-PEAP:
Frame 4: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface \Device\NPF_{62B5A3D6-31C6-4862-83A3-DF3F67D13B89}, id 0
Ethernet II, Src: Cisco_6f:d4:86 (3c:ce:73:6f:d4:86), Dst: Nearest-non-TPMR-bridge (01:80:c2:00:00:03)
802.1X Authentication
Version: 802.1X-2004 (2)
Type: EAP Packet (0)
Length: 6
Extensible Authentication Protocol
Code: Request (1)
Id: 85
Length: 6
Type: Protected EAP (EAP-PEAP) (25)
EAP-TLS Flags: 0x21
End of the exchange:
Frame 22: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface \Device\NPF_{62B5A3D6-31C6-4862-83A3-DF3F67D13B89}, id 0
Ethernet II, Src: Cisco_6f:d4:86 (3c:ce:73:6f:d4:86), Dst: Nearest-non-TPMR-bridge (01:80:c2:00:00:03)
802.1X Authentication
Version: 802.1X-2004 (2)
Type: EAP Packet (0)
Length: 4
Extensible Authentication Protocol
Code: Success (3)
Id: 93
Length: 4
Communication between NAD and AAA server:
RADIUS - Attribute 79
1 Access-Request
2 Access-Accept
3 Access-Reject
4 Accounting-Request
5 Accounting-Response
11 Access-Challenge
12 Status-Server (experimental)
13 Status-Client (experimental)
255 Reserved
http://www.ietf.org/rfc/rfc3579.txt https://standards.ieee.org/develop/regauth/grpmac/public.html
EAP-TLS - we authenticate using certs but no TLS tunnel is built (up to handshake for TLS) both present certs
EAP-PEAP - we built tls - server auth only, then we use inner method like MD5 to authenticate
EAP-FAST - using PAC instead of certs PAC is a unique shared credential used to authenticate client and server