eap Mailing List: RE: Separation of EAP authenticator and AAA client

[Bernard Aboba (aboba]

> What is the difference between the EAP Authenticator (which I believe is 
> defined above)
> and the 802.1X Authenticator, vis-à-vis 802.11i model?

Assume a CAPWAP architecture where the lighweight AP handles 802.1X, but
shuttles EAP packets back to the WLAN switch (rather than sending 802.1X
packets to the switch).  The WLAN switch holds the local credentials
and/or acts as a AAA client.

In this situation, wouldn't the lightweight AP be an 802.1X authenticator,
but not an EAP authenticator?  If there is no AAA operating (e.g. local
user), the EAP authenticator has to be the entity that holds the local
credentials, because that's where EAP authentication terminates.  Yet that
entity is not the lightweight AP, it is the WLAN switch.  On the other
hand, the lightweight AP does house the 802.1X port, and it does terminate
the 802.11/802.1X link.

Does this make sense?  The only other way to interpret this would be to
call the lightweight AP an EAP authenticator, and then the WLAN switch
becomes the EAP server in a non-AAA case.  When the WLAN switch does AAA,
the AAA server houses the EAP server, so then I don't know what you would
call the WLAN switch :)