Cisco Systems OL-24201-01 manual EAP message type EAP code, EAP Method Description, Eap-Gtc

Appendix B Authentication in ACS 5.3

EAP

In ACS 5.3, EAP is encapsulated in the RADIUS protocol. Incoming and outgoing EAP messages are stored in a RADIUS EAP-Message attribute (79). A single RADIUS packet can contain multiple EAP-Message attributes when the size of a particular EAP message is greater than the maximum RADIUS attribute data size (253 bytes).

The RADIUS State attribute (24) stores the current EAP session reference information, and ACS stores the actual EAP session data.

The EAP standard is described in:

•RFC 3748—Extensible Authentication Protocol (EAP).

•RFC 3579—RADIUS Support For Extensible Authentication Protocol (EAP). In the EAP process:

1.The network device sends an EAP Request to a host when the host connects to the network.

2.The host sends an EAP Response to the network device; the network device embeds the EAP packet that it received from the host into a RADIUS request and sends it to ACS, which is acting as the EAP server.

3.ACS negotiates the EAP method for authentication. The client can acknowledge the EAP method that the EAP server suggests or, it can respond with a negative acknowledgment (NAK) and suggest a list of alternative EAP methods. The server and client must reach agreement about the EAP method to use to instantiate authentication.

Table B-1lists the EAP codes for each type of EAP message.

Table B-2describes the EAP methods that ACS 5.3 supports.