Editing IEEE 802.1X (section)

==Protocol operation==
EAPOL operates over the [[data link layer]], and in [[Ethernet II framing]] protocol has an [[EtherType]] value of 0x888E.

===Port entities===
802.1X-2001 defines two logical port entities for an authenticated port—the "controlled port" and the "uncontrolled port". The controlled port is manipulated by the 802.1X PAE (Port Access Entity) to allow (in the authorized state) or prevent (in the unauthorized state) network traffic ingress and egress to/from the controlled port. The uncontrolled port is used by the 802.1X PAE to transmit and receive EAPOL frames.

802.1X-2004 defines the equivalent port entities for the supplicant; so a supplicant implementing 802.1X-2004 may prevent higher-level protocols from being used if it is not content that authentication has successfully completed. This is particularly useful when an EAP method providing [[mutual authentication]] is used, as the supplicant can prevent data leakage when connected to an unauthorized network.

===Typical authentication progression===
The typical authentication procedure consists of:
[[File:802-1X.png|thumb|Sequence diagram of the 802.1X progression (initiated by the supplicant)|444x444px]]
# '''Initialization''' On detection of a new supplicant, the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as the [[Internet Protocol]] (and with that [[Transmission Control Protocol|TCP]] and [[User Datagram Protocol|UDP]]), is dropped.
# '''Initiation''' To initiate authentication the authenticator will periodically transmit EAP-Request Identity frames to a special Layer 2 [[MAC address]] ({{MACaddr|01:80:C2:00:00:03}}) on the local network segment. The supplicant listens at this address, and on receipt of the EAP-Request Identity frame, it responds with an EAP-Response Identity frame containing an identifier for the supplicant such as a User ID. The authenticator then encapsulates this Identity response in a [[RADIUS]] Access-Request packet and forwards it on to the authentication server. The supplicant may also initiate or restart authentication by sending an EAPOL-Start frame to the authenticator, which will then reply with an EAP-Request Identity frame.''
# '''Negotiation''' ''(Technically EAP negotiation)'' The authentication server sends a reply (encapsulated in a [[RADIUS]] Access-Challenge packet) to the authenticator, containing an EAP Request specifying the EAP Method (The type of EAP based authentication it wishes the supplicant to perform). The authenticator encapsulates the EAP Request in an EAPOL frame and transmits it to the supplicant. At this point, the supplicant can start using the requested EAP Method, or do a NAK ("Negative Acknowledgement") and respond with the EAP Methods it is willing to perform.
# '''Authentication''' If the authentication server and supplicant agree on an EAP Method, EAP Requests and Responses are sent between the supplicant and the authentication server (translated by the authenticator) until the authentication server responds with either an EAP-Success message (encapsulated in a [[RADIUS]] Access-Accept packet), or an EAP-Failure message (encapsulated in a [[RADIUS]] Access-Reject packet). If authentication is successful, the authenticator sets the port to the "authorized" state and normal traffic is allowed. If it is unsuccessful, the port remains in the "unauthorized" state. When the supplicant logs off, it sends an EAPOL-logoff message to the authenticator, the authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.