{"id":5260,"date":"2023-05-31T12:27:33","date_gmt":"2023-05-31T10:27:33","guid":{"rendered":"https:\/\/cyber-fi.net\/?p=5260"},"modified":"2023-05-31T14:56:04","modified_gmt":"2023-05-31T12:56:04","slug":"ieee-802-1x-and-eap-part-2-packet-by-packet","status":"publish","type":"post","link":"https:\/\/cyber-fi.net\/index.php\/2023\/05\/31\/ieee-802-1x-and-eap-part-2-packet-by-packet\/","title":{"rendered":"IEEE 802.1X and EAP &#8211; Part 2: Packet by Packet"},"content":{"rendered":"\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/cyber-fi.net\/index.php\/2023\/05\/30\/ieee-802-1x-and-eap-part-1-the-basics\/\" target=\"_blank\">After looking at the 802.1X and EAP basics in part 1<\/a>, in this part 2, we go through every packet in a  simple EAP-Exchange. Although not used anymore in most situations, this example uses EAP-MD5 because it is easy to understand and perfect for learning how 802.1X and EAP communication works.<\/p>\n\n\n\n<p>These are the components I used in this example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The Supplicant device is a WLAPi with Linux<\/li>\n\n\n\n<li>The Authenticator device is a Meraki MS120 switch<\/li>\n\n\n\n<li>The Authentication Server (AS) is the Cisco ISE<\/li>\n<\/ul>\n\n\n\n<p>But any other combination of devices could be used as long as the Supplicant and the Authentication Server support EAP-MD5 and the Authenticator device supports 802.1X.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Packet by Packet<\/h2>\n\n\n\n<p>This picture summarizes the communication that we&#8217;ll look at:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"523\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-4-1024x523.png\" alt=\"\" class=\"wp-image-5265\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-4-1024x523.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-4-300x153.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-4-768x392.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-4-1536x784.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-4-2048x1045.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"257\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-5-1024x257.png\" alt=\"\" class=\"wp-image-5266\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-5-1024x257.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-5-300x75.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-5-768x193.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-5-1536x385.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-5-2048x514.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>To keep it simple, I use the generic term &#8220;packet&#8221; instead of &#8220;frame&#8221; or &#8220;datagram&#8221; in this example. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Packet 1: Supplicant to Authenticator<\/h3>\n\n\n\n<p>The Client starts with an &#8220;EAPOL Start&#8221; message to trigger the authentication. This packet is not mandatory, it could be missing, and the Authenticator could start the communication. The Linux supplicant uses the 802.1X version 2001, the first published standard. This and all the following frames between the Supplicant and the Authenticator is an L2 communication. The available 802.1X Types are defined in the IEEE 802.1X standard.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"222\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-6-1024x222.png\" alt=\"\" class=\"wp-image-5267\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-6-1024x222.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-6-300x65.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-6-768x166.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-6-1536x332.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-6-2048x443.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Packet 2: Authenticator to Supplicant<\/h3>\n\n\n\n<p>The Authenticator either answers the &#8220;EAPOL Start&#8221; with an &#8220;EAP Request, Identity&#8221; or initiates the communication with this identity request. The Meraki switch uses 802.1X version 2004, which doesn&#8217;t have to match the Supplicants version. Inside 802.1X, EAP is transported. The Id is used to map a request to the following response. The EAP codes and types are defined in the <a rel=\"noreferrer noopener\" href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc3748\" target=\"_blank\">EAP RFC<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"326\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-7-1024x326.png\" alt=\"\" class=\"wp-image-5268\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-7-1024x326.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-7-300x96.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-7-768x245.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-7-1536x489.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-7-2048x652.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Packet 3: Supplicant to Authenticator<\/h3>\n\n\n\n<p>The Supplicant responds to the Identity request with its identity. In tunneled implementations of EAP, we would typically see a dummy identity like &#8220;anonymous&#8221;, and the real identity is only sent through the (TLS) tunnel. This packet and the following ones are used to negotiate the EAP method between the Supplicant and the Authentication Server. We also see that the response Id matches the request Id in the previous packet.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"347\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-8-1024x347.png\" alt=\"\" class=\"wp-image-5269\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-8-1024x347.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-8-300x102.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-8-768x260.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-8-1536x521.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-8-2048x694.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Packet 3: Authenticator to Authentication Server<\/h3>\n\n\n\n<p>The EAP response needs to be forwarded to the authentication server. This is done inside a RADIUS Access-Request. The RADIUS details are not part of this blog post; many of the Attribute-Value-Pairs (AVP) are defined in the\u00a0<a rel=\"noreferrer noopener\" href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc2865\" target=\"_blank\">RADIUS RFC<\/a>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"283\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-9-1024x283.png\" alt=\"\" class=\"wp-image-5270\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-9-1024x283.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-9-300x83.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-9-768x212.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-9-1536x425.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-9-2048x566.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The most relevant RADIUS AVP for this post is EAP-Message. This is the same EAP packet that we see between the Supplicant and Authenticator. But this time, it is encapsulated in IP, UDP, and RADIUS instead of EAPOL.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"452\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-11-1024x452.png\" alt=\"\" class=\"wp-image-5273\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-11-1024x452.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-11-300x132.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-11-768x339.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-11-1536x678.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-11-2048x904.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Packet 4: Authentication Server to Authenticator<\/h3>\n\n\n\n<p>When the first EAP Identity response reaches the Authentication Server, there is no knowledge of which EAP method the Supplicant wants to use. In this example, the AS sends an EAP Request of Type EAP-TLS. This is because my Cisco ISE is configured to prefer this EAP method. Until the final Access-Accept or Access-Reject can be sent, all packets from the AS to the Authenticator are RADIUS Access-Challenge packets.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"500\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-12-1024x500.png\" alt=\"\" class=\"wp-image-5274\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-12-1024x500.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-12-300x146.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-12-768x375.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-12-1536x750.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-12-2048x1000.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Packet 4: Authenticator to Supplicant<\/h3>\n\n\n\n<p>The same EAP packet is forwarded to the supplicant.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"586\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-13-1024x586.png\" alt=\"\" class=\"wp-image-5275\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-13-1024x586.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-13-300x172.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-13-768x440.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-13-1536x879.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-13.png 1852w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Packet 5: Supplicant to Authenticator<\/h3>\n\n\n\n<p>The Supplicant is only configured for EAP-MD5. It refuses the AS-preferred method EAP-TLS and sends a hint for the configured EAP-Method. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"362\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-14-1024x362.png\" alt=\"\" class=\"wp-image-5276\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-14-1024x362.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-14-300x106.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-14-768x271.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-14-1536x542.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-14-2048x723.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Packet 5: Authenticator to Authentication Server<\/h3>\n\n\n\n<p>The EAP response is forwarded to the Authentication Server inside of a RADIUS Access-Request message.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"632\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-15-1024x632.png\" alt=\"\" class=\"wp-image-5277\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-15-1024x632.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-15-300x185.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-15-768x474.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-15-1536x949.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-15-2048x1265.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Packet 6: Authentication Server to Authenticator<\/h3>\n\n\n\n<p>A &#8220;real world&#8221; Authentication Server would answer with a &#8220;Failure&#8221; EAP message inside an Access-Reject because EAP-MD5 is not usually enabled. In this example, the AS sends a new EAP Request with an MD5 Challenge.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"484\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-16-1024x484.png\" alt=\"\" class=\"wp-image-5278\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-16-1024x484.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-16-300x142.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-16-768x363.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-16-1536x726.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-16-2048x968.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Packet 6: Authenticator to Supplicant<\/h3>\n\n\n\n<p>Again, the EAP packet is forwarded with EAPOL.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"310\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-17-1024x310.png\" alt=\"\" class=\"wp-image-5279\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-17-1024x310.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-17-300x91.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-17-768x233.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-17-1536x465.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-17-2048x621.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Packet 7: Supplicant to Authenticator<\/h3>\n\n\n\n<p>The Supplicant calculates an EAP-MD5 value to prove its identity. This calculation is similar to what is done with PPP CHAP. The resulting value is sent in an EAP response.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"286\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-18-1024x286.png\" alt=\"\" class=\"wp-image-5280\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-18-1024x286.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-18-300x84.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-18-768x215.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-18-1536x429.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-18-2048x572.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Packet 7: Authenticator to Authentication Server<\/h3>\n\n\n\n<p>As before, the EAP response is forwarded to the AS.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"246\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-19-1024x246.png\" alt=\"\" class=\"wp-image-5281\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-19-1024x246.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-19-300x72.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-19-768x185.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-19-1536x369.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-19-2048x493.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Packet 8: Authentication Server to Authenticator<\/h3>\n\n\n\n<p>The Authentication Server can confirm the client&#8217;s identity based on the provided username and MD5-hash. The Authenticator is informed of the success with a RADIUS Access-Accept message. Based on this message, the Authenticator opens the Controlled Port for communication. The EAP-Message AVP includes a Success code.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"439\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-20-1024x439.png\" alt=\"\" class=\"wp-image-5282\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-20-1024x439.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-20-300x129.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-20-768x329.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-20-1536x658.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-20-2048x877.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Packet 8: Authenticator to Supplicant<\/h3>\n\n\n\n<p>The EAP Success is forwarded to inform the Supplicant that the authentication worked as expected.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"474\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-21-1024x474.png\" alt=\"\" class=\"wp-image-5283\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-21-1024x474.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-21-300x139.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-21-768x355.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-21-1536x710.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-21-2048x947.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>With this packet, the 802.1X\/EAP exchange has finished. On the RADIUS side, we will likely see some following Accounting messages, but these are not relevant for 802.1X and EAP.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The better Packet 6: Authentication Server to Authenticator<\/h3>\n\n\n\n<p>In at least 99% of all &#8220;real-world&#8221; implementations, we would not want our Authentication Server to accept an insecure EAP method like EAP-MD5 (same for protocols like LEAP). So, for this response, I disabled these Methods on the Authentication Server.<br>Next is the typical response to the Supplicant&#8217;s request to use EAP-MD5. The AS sends a RADIUS Access-Reject to the Authenticator; the included EAP-Message AVP stated a Failure to inform the Supplicant that the previous request could not be fulfilled.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"602\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-22-1024x602.png\" alt=\"\" class=\"wp-image-5295\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-22-1024x602.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-22-300x176.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-22-768x452.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-22-1536x903.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2023\/05\/grafik-22-2048x1204.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>After looking at the 802.1X and EAP basics in part 1, in this part 2, we go through every packet in a simple EAP-Exchange. Although not used anymore in most situations, this example uses EAP-MD5 because it is easy to understand and perfect for learning how 802.1X and EAP communication works. These are the components <\/p>\n<div class=\"read-more-text\"><a href=\"https:\/\/cyber-fi.net\/index.php\/2023\/05\/31\/ieee-802-1x-and-eap-part-2-packet-by-packet\/\" class=\"read-more\">continue reading<\/a><\/div>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[5,705,14,7,15],"tags":[713,714,494],"class_list":["post-5260","post","type-post","status-publish","format-standard","hentry","category-cisco","category-meraki","category-networking","category-cisco-security","category-security","tag-eap","tag-ieee-802-1x","tag-radius"],"_links":{"self":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/5260","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/comments?post=5260"}],"version-history":[{"count":20,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/5260\/revisions"}],"predecessor-version":[{"id":5322,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/5260\/revisions\/5322"}],"wp:attachment":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/media?parent=5260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/categories?post=5260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/tags?post=5260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}