I've been researching EAP (EAPoL, EAPoW and things like EAP-TLS etcetera), and there is some information I cannot find on the internet, so I thought I might try it here (:.
To my understanding EAP (regardless of version used), uses three components. The supplicant (or client), the authenticator (for example a router or switch) and an authentication server (can be in cloud, does not have to be. Radius protocol mostly).
The way the authentication happens is dependent on EAP type used, but after a supplicant is authenticated, how does the authenticator keep track of that? Does it use (something similar to) port based security (which is based on?? MAC-address I guess), does it use some kind of token?
Any help/sources is appreciated!
EDIT: I've found something regarding 802.1x. It says 802.1x is the authentication protocol, which is port based. Before authentication, it uses the EAP protocol to communicate. I'm not sure if I understand the article correctly, but if I do, my question is answered. Could someone verify this?
For the ones finding this post after me.
I misunderstood EAP and it's connection to 802.1X before.
802.1X is a protocol which is used with three components. The supplicant (client), authenticator (mostly a switch) and an authentication server (almost always RADIUS server). To communicate the supplicant and the authenticator use EAP, which has many forms. The authentication server and the authenticator uses RADIUS. RADIUS is able to encapsulate the EAP messages, therefor the authenticator does not need to know nor implement the used EAP type.
As soon as a client connects to the authenticator, it receives an EAP authentication request. The authenticator sends this to the authentication server which returns a challenge. What happens next is slightly dependent on EAP type used, but eventually the authenticator will receive a EAP Access-Accept or Accept-Deny packet. Depending on this packet the authenticator will open the port which the supplicant used to connect to the authenticator. The authenticator bases all requests on mac-address.
So to clarify, this is the 802.1X protocol, in which EAP and RADIUS are used.
That's my understanding of it, should anyone find an error, please inform me.