What Is Extensible Authentication Protocol over LAN? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
EAP over LAN is a way for a computer to prove its identity to a network before it gets full access. Think of it as showing your ID at a security desk before you are allowed into a building. It wraps up the authentication process inside special messages that travel over the local network, keeping the whole exchange secure.
Must Know for Exams
EAP over LAN is a core topic in both CompTIA Network+ (N10-008 and N10-009) and CompTIA Security+ (SY0-601 and SY0-701) exams. In Network+, the exam objectives explicitly list 802.1X and EAP as key concepts under network security and authentication technologies.
You can expect questions that ask you to identify the role of EAP over LAN in the 802.1X process. The exam may present a scenario where a company needs to authenticate devices before granting network access, and you must select the correct combination of technologies.
For example, a question might describe a switch that blocks all traffic until a device authenticates, and ask which protocol is used to carry the authentication messages. The correct answer is EAP over LAN. In Security+, the focus shifts to authentication methods and protocols.
EAP over LAN appears in the context of network access control and wireless security. You may be asked to compare different EAP methods, such as EAP-TLS versus PEAP versus EAP-TTLS, and understand which ones require certificates on the client side. Questions might also cover the difference between WPA2-Personal and WPA2-Enterprise, where Enterprise mode relies on a RADIUS server and EAP over LAN.
A typical Security+ question could ask: "A company wants to require users to authenticate with smart cards before accessing the wired network. Which technology should be implemented?" The answer is 802.
1X with EAP over LAN. The exam may also test your understanding of the terms supplicant, authenticator, and authentication server. You might see a multiple-choice question where the scenario describes a wireless client, an access point, and a RADIUS server.
You need to know which device is the authenticator (the access point) and which protocol carries the EAP frames between the client and the access point (EAP over LAN). In both exams, EAP over LAN is often part of a larger troubleshooting question. The scenario might describe that users can connect to Wi-Fi but cannot access network resources.
The issue could be a misconfigured RADIUS server or an incorrect EAP method on the supplicant. You would need to identify that the authentication exchange is failing. Understanding the flow of EAP over LAN frames helps you diagnose these problems.
Also, be aware that the term “EAPoL” is sometimes used interchangeably with “802.1X,” but technically 802.1X is the framework and EAP over LAN is the specific protocol for wired networks.
The exam may use both terms, so knowing the distinction is helpful. For the most current exams, check the CompTIA exam objectives for “802.1X” and “EAP.
Simple Meaning
Imagine you arrive at a modern office building for the first time. You walk up to the main entrance, but the door does not open automatically. Instead, a small screen asks for a badge or a code.
You are not inside yet. You are in a kind of waiting area. The security system needs to check who you are before unlocking the inner door. EAP over LAN is the digital version of that check.
It is not the lock itself, and it is not the badge. It is the secure conversation that happens between your device and the network switch or wireless access point, making sure you are allowed to connect. Before your laptop or phone can send or receive any normal data, it first sends a series of special messages to a central authentication server.
These messages use a framework called Extensible Authentication Protocol, or EAP, which is flexible enough to support different methods of proving identity, such as a password, a digital certificate, or a one-time code. The "over LAN" part simply means these EAP messages are carried over the local wired or wireless network, but only for this security handshake. No regular network traffic passes through until this handshake succeeds.
This prevents unauthorised devices from even reaching the network. It is like having a guard who checks your ID before you step past the reception desk. The guard does not care about your email or your web browsing.
The guard only cares about whether you are allowed in. Once the guard confirms you, the inner door opens and you can go about your business. EAP over LAN is typically used with a standard called 802.
1X, which is the framework for port-based access control. The “port” is the virtual doorway to the network. EAP over LAN is the conversation that determines whether that door stays closed or opens.
It is used in both wired networks (like connecting a laptop to an Ethernet jack in a corporate office) and wireless networks (like connecting to a secure Wi-Fi network that uses WPA2-Enterprise or WPA3-Enterprise). The protocol keeps the authentication messages safe from eavesdropping by encapsulating them, so nobody listening on the wire can steal your credentials. In simple terms, EAP over LAN is the secure identification step that happens before a device is allowed to join a network.
Full Technical Definition
EAP over LAN (EAPoL) is a network protocol defined in the IEEE 802.1X standard for port-based network access control. It carries Extensible Authentication Protocol (EAP) frames between a supplicant (the client device trying to connect) and an authenticator (the network switch or wireless access point) while the port remains blocked for all other traffic.
The authenticator does not process the EAP messages itself. Instead, it relays them to an authentication server, typically a RADIUS server, which performs the actual verification. EAPoL is essentially the transport mechanism that enables the 802.
1X authentication framework to operate over local area networks. The protocol operates at Layer 2 of the OSI model, meaning it works at the data link layer before IP addressing or higher-layer protocols are established. This is crucial because it allows authentication to happen before the device receives an IP address via DHCP, preventing unauthenticated devices from even obtaining network-layer access.
EAPoL frames are distinct from regular Ethernet frames. They use a special EtherType value of 0x888E, which tells the switch or access point to treat them as authentication traffic. The frames have a specific structure that includes a version field, a packet type indicator (EAP-Packet, EAP-Start, EAP-Logoff, EAP-Key, or EAP-Encapsulated-ASF-Alert), and the body containing the actual EAP data.
During an 802.1X session, the supplicant initiates by sending an EAPoL-Start frame, or the authenticator can prompt the supplicant by sending an EAP-Request/Identity. The supplicant responds with an EAP-Response/Identity.
The authenticator encapsulates that response into a RADIUS Access-Request packet and forwards it to the authentication server. The server and supplicant then exchange a series of EAP messages, which could involve methods like EAP-TLS (certificate-based), PEAP (protected tunnel with inner authentication), or EAP-TTLS. The authenticator simply passes these messages back and forth using EAPoL on one side and RADIUS on the other.
Once the authentication server accepts the credentials, it sends a RADIUS Access-Accept message to the authenticator. The authenticator then sends an EAPoL-Success frame to the supplicant and changes the port state from “unauthorized” to “authorized.” At this point, the port begins forwarding normal traffic.
If authentication fails, an EAPoL-Failure frame is sent, and the port remains blocked. In wireless networks, EAPoL is used during the 4-way handshake of WPA2-Enterprise and WPA3-Enterprise. The protocol also supports EAPoL-Key frames, which are used to distribute encryption keys after successful authentication.
Real-world implementations often involve configuring the authenticator (switch or AP) with the RADIUS server address and shared secret. Supplicant software is built into modern operating systems and can be configured for different EAP methods. Troubleshooting EAPoL often involves checking that the correct EtherType is not being dropped by VLAN configurations or firewalls, and ensuring the RADIUS server logs show the full EAP conversation.
The protocol is considered secure because authentication occurs before any data traffic, and EAP methods can provide mutual authentication, preventing rogue access points.
Real-Life Example
Think of a secure office building that uses a badge system for entry. The building has a single main entrance with a turnstile. Beside the turnstile is a card reader. This is the authenticator.
You, the employee, are the supplicant. Your access badge is your credential. When you swipe your badge at the reader, the reader does not make the decision itself. Instead, it sends your badge number to a central security office, which is the authentication server.
The security office checks a database to see if your badge is active, matches your face on file, and has permissions for this entrance. This back-and-forth between the reader and the security office is like EAP over LAN. The messages are sent over a secure intercom that only the reader and the security office can understand.
While this exchange is happening, the turnstile remains locked. You cannot walk through. You are stuck in the small vestibule until the check is complete. If the security office confirms you, they send an unlock signal back to the reader.
The reader clicks, the turnstile spins, and you enter. That unlock signal is like an EAPoL-Success frame. Now, the port is open. You can proceed to the elevator and your desk. If the check fails, the reader shows a red light and you stay locked out.
This entire process happens silently and quickly, often in less than a second. The key similarity is that the authentication conversation is separate from the actual entry. The turnstile does not change its function.
It just stays locked until the security office says so. In a network, EAP over LAN does the same thing. The switch port stays blocked until the RADIUS server says the device is allowed.
Also, the authentication method can change without changing the turnstile or the reader. You could switch from a badge to a fingerprint scanner, and the same secure intercom would carry those new messages. That is the “extensible” part.
EAP over LAN can carry many different types of authentication, just as the intercom could carry voice, fingerprint data, or a QR code scan.
Why This Term Matters
EAP over LAN matters because it is the foundation of secure network access control in both wired and wireless enterprise environments. Without it, any device that physically plugs into an Ethernet jack or connects to a Wi-Fi SSID could gain immediate access to the internal network. That creates a massive security risk.
A visitor, a contractor, or even an attacker with physical access could bypass firewalls and gain a foothold inside the network perimeter. EAP over LAN, when combined with 802.1X, enforces authentication at the port level.
This means every single device must identify itself before it can send even a single packet to the network. For IT administrators, this provides granular control over who and what connects. They can require devices to present digital certificates issued by their organisation, ensuring only company-managed laptops can access the internal LAN.
They can also integrate with user directories like Active Directory, so that network access is tied to user credentials. This is especially important for compliance with regulations like PCI DSS, HIPAA, or GDPR, which require strict access controls. In practical terms, EAP over LAN helps prevent rogue devices from spreading malware or capturing traffic.
It also simplifies network management because administrators can change access policies centrally on the RADIUS server rather than reconfiguring every switch or access point. For wireless networks, WPA2-Enterprise and WPA3-Enterprise rely on EAP over LAN for authentication. This is far more secure than WPA2-Personal, which uses a single shared passphrase that can be leaked.
With EAP over LAN, each user has unique credentials, and the authentication is encrypted within a TLS tunnel. This eliminates the risk of passphrase theft and allows for user-level auditing. If a security incident occurs, logs from the RADIUS server can show exactly which user authenticated from which access point at what time.
EAP over LAN also supports dynamic VLAN assignment. When a user authenticates, the RADIUS server can tell the switch to place that user’s port into a specific VLAN based on their role. For example, guest users go into a guest VLAN with limited internet access, while employees go into the internal VLAN.
This is all done automatically without any manual switch configuration. For any IT professional working with enterprise networks, understanding EAP over LAN is essential for designing, deploying, and troubleshooting secure access solutions.
How It Appears in Exam Questions
Exam questions about EAP over LAN typically fall into several categories. The first is definition and component questions. These ask you to identify the protocol that carries authentication messages over a LAN before a port is opened.
For example, “Which of the following is used to transmit EAP frames between a supplicant and an authenticator in a wired network?” The answer choices might include EAP over LAN, RADIUS, TACACS+, or PPP. The correct answer is EAP over LAN.
A variant might ask for the EtherType value used by EAPoL, which is 0x888E. The second category is scenario-based questions about 802.1X deployment. A typical question reads: “A network administrator wants to implement port-based network access control.
Users must authenticate using their domain credentials before being allowed on the network. Which of the following must be configured on the switch?” The answer would include enabling 802.
1X and configuring the RADIUS server IP. The question may also ask about the role of each component: supplicant (client), authenticator (switch), and authentication server (RADIUS). The third category is wireless authentication questions.
These often involve WPA2-Enterprise. For example, “A company deploys a new wireless network using WPA2-Enterprise. Which protocol is used for authentication between the client and the access point?
” The answer is EAP over LAN. Some questions will ask you to identify the EAP method based on a description, such as “Which EAP method requires digital certificates on both the client and the server?” The answer is EAP-TLS.
The fourth category is troubleshooting questions. A scenario might describe that wired users cannot connect to the network. The switch logs show EAPoL-Failure messages. You must determine the cause, such as incorrect RADIUS shared secret, expired client certificate, or wrong EAP method configured on the supplicant.
Another troubleshooting scenario involves wireless clients that can associate with the SSID but cannot obtain an IP address. The issue could be that 802.1X authentication is failing because the RADIUS server is unreachable.
You would need to check the EAPoL exchange. The fifth category is comparison and hybrid questions. These ask you to differentiate EAP over LAN from other protocols. For instance, “What is the difference between EAP over LAN and RADIUS?
” The answer would explain that EAP over LAN operates between the supplicant and authenticator at Layer 2, while RADIUS operates between the authenticator and authentication server at Layer 7. Some questions combine authentication with VLAN assignment. The scenario might describe that after successful authentication, the user is placed in a specific VLAN.
You need to know that the RADIUS server sends a VLAN ID attribute, and the switch uses that to configure the port. Finally, there are exam trap questions where the answer choices include similar-sounding protocols like EAP, EAP over LAN, and IEEE 802.1X.
The test taker must carefully read what the question asks. For example, it might ask for the protocol that “carries EAP frames in a wired LAN,” which is EAP over LAN, not 802.1X (the framework) or RADIUS (the server protocol).
Practicing these question types will build confidence.
Practise Extensible Authentication Protocol over LAN Questions
Test your understanding with exam-style practice questions.
Example Scenario
A medium-sized law firm wants to secure its internal network. They have dozens of wired Ethernet ports in every office and conference room. Currently, any visitor can plug a laptop into a wall jack and get a DHCP address and full network access.
The IT manager decides to implement network access control. She installs a RADIUS server that integrates with their Active Directory. On each managed switch, she enables 802.1X. She then configures the switch ports to use the RADIUS server for authentication.
Now, when a lawyer plugs their laptop into a wall jack, the switch port is initially blocked. The laptop, acting as the supplicant, sends an EAPoL-Start frame. The switch, the authenticator, responds with an EAP-Request/Identity.
The laptop sends back the user’s domain credentials. The switch relays this to the RADIUS server using RADIUS packets. The RADIUS server checks the credentials against Active Directory.
If valid, the server sends back an Access-Accept with a VLAN ID for the internal network. The switch then sends an EAPoL-Success to the laptop and opens the port in the correct VLAN. The laptop now gets an IP address and can access legal files.
If a visitor plugs in, the credentials fail, and the port stays blocked. This scenario shows how EAP over LAN is the essential protocol that carries the authentication messages locally, enabling the whole system to work. Without it, the switch would have no way to securely exchange identity information without exposing the network to unauthenticated traffic.
Common Mistakes
Thinking EAP over LAN and 802.1X are the same thing.
EAP over LAN is a specific protocol that carries EAP frames, while 802.1X is the overall framework for port-based network access control. 802.1X defines the architecture (supplicant, authenticator, authentication server) and the state machine, but EAP over LAN is the protocol that runs over Ethernet to transport the authentication messages. They are related but not identical.
Remember that 802.1X is the “what” (the rules and roles), and EAP over LAN is the “how” (the specific message format and EtherType used on the wire).
Believing EAP over LAN only works on wireless networks.
EAP over LAN is actually more commonly associated with wired 802.1X on Ethernet switches. The “LAN” part stands for Local Area Network, which includes both wired and wireless. In wireless contexts, the same protocol is used, but it is technically EAP over Wireless, though EAP over LAN is often used as the general term for the link-layer protocol.
Understand that EAP over LAN works on both wired Ethernet and wireless Wi-Fi. In Wi-Fi, the access point acts as the authenticator, and the same EAPoL frames are encapsulated in 802.11 frames.
Confusing EAP over LAN with RADIUS.
RADIUS is an application-layer protocol used between the authenticator (switch or AP) and the authentication server. EAP over LAN is a data-link layer protocol used between the supplicant (client) and the authenticator. They serve different segments of the authentication path. RADIUS carries EAP frames between the authenticator and the server, while EAP over LAN carries them between the client and the authenticator.
Think of it as a two-hop journey: EAP over LAN from client to switch, then RADIUS from switch to server. The switch translates between the two protocols.
Assuming EAP over LAN is only for initial authentication and not for reauthentication or key management.
EAP over LAN is used throughout the authentication session. It can reauthenticate periodically, and it also carries EAPoL-Key frames that distribute encryption keys for wireless networks. The protocol handles the entire lifecycle of the secure connection, not just the first login.
Remember that EAPoL includes packet types for Start, Logoff, Key, and Failure, not just Success. It is an ongoing protocol, not a one-time event.
Thinking that the authenticator validates the credentials.
The authenticator (switch or AP) does not verify credentials. It only forwards EAP messages between the supplicant and the authentication server. The authentication server, typically a RADIUS server, is the only device that checks credentials and makes the allow or deny decision.
Remember the role division: supplicant asks, authenticator relays, server decides. The authenticator is a dumb pipe for authentication messages.
Exam Trap — Don't Get Fooled
A question states: “A network administrator wants to deploy a solution where users must authenticate before accessing the wired network. Which protocol should be used to carry authentication messages from the switch to the authentication server?” The answer choices include EAP over LAN, RADIUS, LDAP, and Kerberos.
Many learners choose EAP over LAN because they associate it with authentication. The correct answer is actually RADIUS, because the question specifies the link between the switch and the authentication server, not between the client and the switch. Always read the question for the specific path.
EAP over LAN is used between the supplicant (client) and the authenticator (switch or AP). RADIUS is used between the authenticator and the authentication server. If the question mentions the switch and the server, the answer is almost always RADIUS.
Draw a mental diagram: client <-> EAP over LAN <-> switch <-> RADIUS <-> server.
Commonly Confused With
802.1X is the overarching standard for port-based network access control. It defines the roles of supplicant, authenticator, and authentication server, and the process flow. EAP over LAN is the specific protocol that 802.1X uses to carry EAP frames over Ethernet. You cannot have 802.1X without a transport protocol, and EAP over LAN is that transport for LANs.
802.1X is like the blueprint for a security checkpoint. EAP over LAN is the specific radio frequency or intercom used to communicate the identity information at the checkpoint.
RADIUS is an application-layer protocol that runs between the authenticator (switch or AP) and the authentication server. It transports authentication, authorization, and accounting information. EAP over LAN is a data-link layer protocol that runs between the supplicant (client) and the authenticator. They are complementary, not interchangeable.
RADIUS is the courier that carries letters between the security guard and the central office. EAP over LAN is the walkie-talkie that the visitor uses to talk to the security guard at the entrance.
EAP over Wireless (also called EAP over IEEE 802.11) is essentially the same protocol as EAP over LAN but carried over wireless frames instead of Ethernet frames. Technically, the frames have different formats at Layer 2, but from a certification standpoint, the concept and exam questions often treat them as identical. The main difference is the underlying medium.
Whether you use a wired phone or a wireless phone to call security, the conversation is the same. EAP over LAN is the wired phone; EAP over Wireless is the wireless phone.
PEAP (Protected Extensible Authentication Protocol) is a specific EAP method that creates a TLS tunnel to protect inner authentication. It is not a transport protocol like EAP over LAN. EAP over LAN carries PEAP messages inside its frames. PEAP is one of many EAP methods that can be transported by EAP over LAN.
EAP over LAN is the envelope that carries a letter. PEAP is the security seal on the letter that keeps it private. You can have different kinds of seals, but they all go in the same envelope.
Step-by-Step Breakdown
Supplicant Connects
A device, like a laptop, plugs into an Ethernet cable or connects to a Wi-Fi SSID configured for 802.1X. The switch or access point detects the link but keeps the port in an unauthorized state. No normal data frames are forwarded. The port only accepts EAP over LAN frames. This is the starting point, and it ensures that no unauthenticated traffic can leak onto the network.
Initiation of Authentication
The supplicant sends an EAPoL-Start frame to the authenticator (switch or AP). This signals that the device wants to begin authentication. Alternatively, the authenticator can initiate the process by sending an EAP-Request/Identity frame. The purpose of this step is to wake up the authentication conversation and identify who the client claims to be.
Identity Exchange
The supplicant responds with an EAP-Response/Identity frame, which contains a user ID (such as a username or email address). The authenticator receives this and encapsulates it into a RADIUS Access-Request packet. It sends this packet to the configured RADIUS server. The identity is often used to determine which EAP method will be used, so it is an important first step in steering the conversation.
EAP Method Negotiation and Authentication
The RADIUS server and the supplicant now exchange multiple EAP frames, each encapsulated first in EAP over LAN (between client and authenticator) and then in RADIUS (between authenticator and server). They negotiate an EAP method, such as PEAP or EAP-TLS, and perform the actual credential verification. This can involve TLS handshakes, certificate exchanges, password hashes, or token codes. The authenticator simply relays messages without inspecting them.
Authorization and Port Opening
If the RADIUS server accepts the credentials, it sends a RADIUS Access-Accept message to the authenticator. This message may also include attributes such as a VLAN ID or a filter to apply. The authenticator then sends an EAPoL-Success frame to the supplicant. It changes the port state from unauthorized to authorized. The switch or AP now begins forwarding normal network traffic from that device. The device can then obtain an IP address and access network resources.
Key Distribution (Wireless Only)
For wireless networks, after the EAPoL-Success, the authenticator and supplicant perform a 4-way handshake to generate and distribute encryption keys. This uses EAPoL-Key frames. These keys ensure that all subsequent wireless data is encrypted. This step does not occur in wired 802.1X because wired traffic is not typically encrypted at Layer 2.
Session Maintenance and Logoff
The authenticator may periodically reauthenticate the supplicant by sending new EAP-Request frames. This ensures that the device is still authorized and the credentials have not been revoked. When the device disconnects, it sends an EAPoL-Logoff frame, and the authenticator returns the port to the unauthorized state. This keeps the network secure even when devices leave.
Practical Mini-Lesson
EAP over LAN is the workhorse of enterprise network authentication, but understanding it in practice requires seeing how it fits into the real configuration and troubleshooting workflow. As an IT professional, you will rarely configure EAP over LAN directly. Instead, you will configure 802.
1X on a switch or access point, and that configuration implicitly enables EAP over LAN. On a Cisco switch, for example, you enable port-based authentication with the command “dot1x port-control auto.” Then you specify the RADIUS server with “radius-server host” and the shared secret.
The switch automatically handles EAP over LAN frames. On a Windows client, you configure the supplicant in the network settings. You select “Microsoft: Protected EAP (PEAP)” or another EAP method, and you trust the server certificate.
When the client connects, it sends EAPoL-Start, and the process begins. What can go wrong? The most common problem is certificate-related. If the RADIUS server’s certificate is expired or not trusted by the client, the TLS tunnel fails, and the client sees a “cannot connect” error.
Another issue is a misconfigured RADIUS shared secret. The switch and the server must have the same secret, or the RADIUS packets are dropped. You can verify this by checking the RADIUS server logs for “Access-Reject” due to invalid secret.
Another issue is VLAN mismatch. The RADIUS server might send a VLAN ID that does not exist on the switch, or the switch port might be configured for a specific VLAN that conflicts. When troubleshooting, you can use packet captures to see the EAP over LAN frames.
Look for the EtherType 0x888E. You should see EAPoL-Start, EAP-Request/Identity, and then the EAP method exchange. If you see repeated EAPoL-Start without responses, the authenticator may not be configured for 802.
1X. If you see EAPoL-Failure, the credentials are wrong or the server rejected the request. Also, remember that EAP over LAN is a Layer 2 protocol, so it does not rely on IP. If the client cannot get an IP address, the problem is often after authentication, such as DHCP not being available in the assigned VLAN.
EAP over LAN is also relevant to network segmentation with dynamic VLANs. For example, you can configure the RADIUS server to place IT staff into an admin VLAN and guests into a guest VLAN. The switch applies this based on the RADIUS Access-Accept attribute.
This is powerful for zero-trust networking. Broader connections: EAP over LAN is part of the IEEE 802 family of standards. It works hand in hand with RADIUS, which itself uses UDP ports 1812 and 1813.
Understanding EAP over LAN also helps you understand EAP over RADIUS, which is a separate encapsulation but follows the same logic. Many cloud-managed networks use a cloud RADIUS service, and the switch still sends EAP over LAN frames locally. In summary, to master EAP over LAN, focus on the three roles, the frame types, and the troubleshooting flow.
In a real job, you will spend more time diagnosing why authentication fails than configuring it from scratch.
Memory Tip
Remember EAP over LAN as the “pre-flight checklist” for network access: the device must identify itself before the port opens, just like a plane must get clearance before taking off.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
N10-009CompTIA Network+ →SY0-701CompTIA Security+ →200-301Cisco CCNA →220-1102CompTIA A+ Core 2 →SC-900SC-900 →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)SY0-601SY0-701(current version)Related Glossary Terms
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
Frequently Asked Questions
Is EAP over LAN the same as 802.1X?
No, they are not the same. 802.1X is the overall standard for port-based network access control, defining the architecture and the state machine. EAP over LAN is the specific protocol that 802.1X uses to transport EAP messages over a wired or wireless LAN.
Does EAP over LAN work with Wi-Fi?
Yes, EAP over LAN is used in Wi-Fi networks as part of WPA2-Enterprise and WPA3-Enterprise authentication. In wireless contexts, it is sometimes called EAP over Wireless, but the concept is the same. The access point acts as the authenticator.
What EtherType does EAP over LAN use?
EAP over LAN uses EtherType 0x888E. This special value allows switches and network interface cards to distinguish EAPoL frames from regular data frames and treat them accordingly.
Can EAP over LAN be used without a RADIUS server?
The 802.1X standard requires an authentication server. In practice, that is almost always a RADIUS server. While it is technically possible to embed authentication in the authenticator, enterprise deployments always use a separate server for central management and security.
What happens if the RADIUS server is unreachable during EAP over LAN authentication?
If the RADIUS server is unreachable, the authenticator cannot complete the authentication exchange. The supplicant will receive an EAPoL-Failure or a timeout, and the port will remain in the unauthorized state. The device will not gain network access.
Is EAP over LAN secure?
The protocol itself is a transport mechanism and does not provide encryption. Security depends on the EAP method used inside, such as EAP-TLS or PEAP, which encrypt the credentials within a TLS tunnel. EAP over LAN frames are sent in the clear, but the actual secret data is encrypted by the EAP method.
What is the difference between EAP over LAN and EAP over RADIUS?
EAP over LAN operates between the client and the authenticator at Layer 2. EAP over RADIUS operates between the authenticator and the RADIUS server at Layer 7. They both carry EAP messages but over different segments of the network and with different encapsulations.
Do all switches support EAP over LAN?
No, only managed switches that support 802.1X can handle EAP over LAN. Unmanaged switches do not have the capability to block ports based on authentication. For enterprise environments, managed switches are required.
Summary
EAP over LAN is a foundational protocol for network security, enabling devices to prove their identity before they are allowed to send any data across a wired or wireless network. It works by carrying Extensible Authentication Protocol messages between a client and an authenticator, using a special EtherType to keep authentication traffic separate from regular data. This protocol is the transport layer of the 802.
1X framework, and it is what makes port-based network access control possible. Without EAP over LAN, a switch or access point would have no standard way to collect and relay identity information without exposing the network. For IT professionals, understanding EAP over LAN is essential for deploying secure wired and wireless networks, configuring RADIUS servers, and troubleshooting authentication failures.
In certification exams, you must remember that EAP over LAN operates between the supplicant and the authenticator, while RADIUS operates between the authenticator and the server. You should also be able to identify the different EAPoL frame types, the EtherType value, and the steps of the authentication process. Finally, keep in mind that EAP over LAN is not itself an encryption method; it relies on the EAP method to protect credentials.
By mastering this protocol, you gain a solid understanding of how enterprise networks verify and control every device at the edge.