【整理】EAPOL

EAPoL: Extensible Authentication Protocol over LAN（局域网的扩展认证协议）

局域网的扩展认证协议(EAPOL)，定义在IEEE 802.1X中，为一个受保护的网络鉴别和控制用户通信提供一个有效的架构，也动态地改变加密密钥。EAPOL是通过扩展验证协议(EAP)在一个有线的或无线的LAN上的标准。在无线环境中，802.1X也描述了一个接入点和无线用户共享和改变加密密钥的方法，和帮助消除通过无线的操作添加一些信息。这个密钥改变信息帮助解决主要的在802.11中的安全弱点，WEP密钥的管理。由于802.1X，WEP被培养到一个对大多数公司安全可接受的水平。

 

802.1X（EAPOL）实际上是一种传送机制，而不提供实质的认证机制。当采用 802.1X 时，必须选择某种 EAP 类型，如传输层安全协议（EAP-TLS）或 EAP 隧道传输层安全协议（EAP-TTLS），它们定义认证如何发生。特定类型的 EAP 位于认证服务器中或客户机操作系统或应用软件里。接入点作为 802.1X 信息的“通过”路径，这意味着在支持 802.1X 的接入点不需要升级的情况下，可以指定使用任意类型的 EAP 。

 

个人认为还是下面这篇英文文章介绍的最详细啊

IEEE 802.1X: EAP over LAN (EAPOL) for LAN/WLAN Authentication & Key Management

The IEEE 802.1X offers an effective framework for authenticating and controlling user traffic to a protected network, as well as dynamically varying encryption keys. 802.1X ties a protocol called EAP (Extensible Authentication Protocol) to both the wired and wireless LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication. 

In the 802.1x architecture, there are three key components: 1) Supplicant: the user or client that wants to be authenticated; 2) The authentication server, typically a RADIUS server; 3) The authenticator: the device in between, such as a wireless access point, which can be simple and dumb.

The key protocol in 802.1x is called EAP over LANs (EAPOL). It is currently defined for Ethernet-like LANs including 802.11 wireless, as well as token ring LANs (including FDDI). The operation process in 802.1X is as follow:

1. The supplicant (such as a client wireless card) sends an "EAP-Response/Identity" packet to the authenticator (such as 802.11 access point), which is then passed on to the authentication server (RADIUS server which is located at the wired side of the access point).
2. The authentication server sends back a challenge to the authenticator. The authenticator unpacks this from IP and repackages it into EAPOL and sends it to the supplicant.
3. The supplicant responds to the challenge via the authenticator and passes the response onto the authentication server. The authentication server uses a specific authentication algorithm to verify the client's identity. This could be through the use of digital certificates or other EAP authentication type.
4. If the supplicant provides proper identity, the authentication server responds with a success message, which is then passed onto the supplicant. The authenticator now opens port for the supplicant to access to the LAN based on attributes that came back from the authentication server.

The 802.1X (EAPOL) protocol provides effective authentication regardless of whether you implement 802.11 WEP keys or no encryption at all. If configured to implement dynamic key exchange, the 802.1X authentication server can return session keys to the access point along with the accept message. The access point uses the session keys to build, sign and encrypt an EAP key message that is sent to the client immediately after sending the success message. The client can then use contents of the key message to define applicable encryption keys.

802.1X (EAPOL) is a delivery mechanism and it doesn't provide the actual authentication mechanisms. When utilizing 802.1X, you need to choose an EAP type, such as Transport Layer Security (EAP-TLS) or EAP Tunneled Transport Layer Security (EAP-TTLS), which defines how the authentication takes place. The specific EAP type resides on the authentication server and within the operating system or application software on the client devices. The access point acts as a "pass through" for 802.1X messages, which means that you can specify any EAP type without needing to upgrade an 802.1X-compliant access point.

 

Protocol Structure - IEEE 802.1X: EAP over LAN (EAPOL) for LAN/WLAN Authentication & Key Management
EAPOL Frame Format for 802.3/Ethernet:

2 bytes	1 byte	1 byte	2 bytes	Variable
PAE Ethernet Type	Protocol version	Packet type	Packet Body length	Packet Body

PAE Ethernet type- PAE (Port Access Entity) Ethernet type contains the Ethernet Type value assigned for use by the PAE. Protocol version - an unsigned binary number, which value is the version of the EAPOL protocol. Packet type- an unsigned binary number, which value determines the type of the packet as follows: a0 EAP-packet; b) EAPOL-Start; c) EAPOL-Logoff; d)EAPOL-Key; e) EAPOL-Encapsulated-ASF-Alert Packet body length- an unsigned binary, which value defines the length in octets of the packet body field. Packet Body - This field is presented if the packet type contains the value EAP-Packet, EAPOL-Key, or EAP-Encapsulated-ASF-Alert, otherwise, it is not presented. EAPOL Frame Format for Token Ring /FDDI:

8 bytes	1 byte	1 byte	2 bytes	Variable
SNAP Ethernet Type	Protocol version	Packet type	Packet Body length	Packet Body

SNAP Ethernet Type- contains the SNAP-encoded Ethernet type encoded in the SNAP format as follows: 1-3 bytes carry the standard SNAP header; 4-6 bytes carry the SNAP PID; 7-8 bytes carry the PAE Ethernet Type value.