Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in , which made obsolete, and is updated by .
EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.
EAP is in wide use. For example, in IEEE 802.11 (WiFi) the WPA and WPA2 standards have adopted IEEE 802.1X (with various EAP types) as the canonical authentication mechanism.
Methods
EAP is an authentication framework, not a specific authentication mechanism.
It provides some common functions and negotiation of authentication methods called EAP methods. There are currently about 40 different methods defined. Methods defined in
IETF
The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
RFCs include EAP-MD5, EAP-POTP, EAP-GTC, EAP-TLS, EAP-IKEv2, EAP-SIM, EAP-AKA, and EAP-AKA'. Additionally, a number of vendor-specific methods and new proposals exist. Commonly used modern methods capable of operating in wireless networks include EAP-TLS, EAP-SIM, EAP-AKA,
LEAP and EAP-TTLS. Requirements for EAP methods used in wireless LAN authentication are described in . The list of type and packets codes used in EAP is available from the IANA EAP Registry.
The standard also describes the conditions under which the AAA key management requirements described in can be satisfied.
Lightweight Extensible Authentication Protocol (LEAP)
The
Lightweight Extensible Authentication Protocol (LEAP) method was developed by
Cisco Systems
Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...
prior to the
IEEE
The Institute of Electrical and Electronics Engineers (IEEE) is a 501(c)(3) professional association for electronic engineering and electrical engineering (and associated disciplines) with its corporate office in New York City and its operat ...
ratification of the
802.11i
IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless netw ...
security standard. Cisco distributed the protocol through the CCX (Cisco Certified Extensions) as part of getting 802.1X and dynamic
WEP adoption into the industry in the absence of a standard. There is no native support for LEAP in any
Windows operating system, but it is widely supported by third-party client software most commonly included with WLAN (wireless LAN) devices.
LEAP support for Microsoft Windows 7 and Microsoft Windows Vista can be added by downloading a client add in from Cisco that provides support for both LEAP and EAP-FAST. Due to the wide adoption of LEAP in the networking industry many other WLAN vendors claim support for LEAP.
LEAP uses a modified version of
MS-CHAP MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol, CHAP. The protocol exists in two versions, MS-CHAPv1 (defined in RFC 2433) and MS-CHAPv2 (defined in RFC 2759). MS-CHAPv2 was introduced with pptp3-fix that was in ...
, an
authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicatin ...
protocol in which user credentials are not strongly protected and easily compromised; an exploit tool called ASLEAP was released in early 2004 by Joshua Wright. Cisco recommends that customers who absolutely must use LEAP do so only with sufficiently complex passwords, though complex passwords are difficult to administer and enforce. Cisco's current recommendation is to use newer and stronger EAP protocols such as EAP-FAST,
PEAP, or EAP-TLS.
EAP Transport Layer Security (EAP-TLS)
EAP Transport Layer Security (EAP-TLS), defined in , is an IETF
open standard that uses the
Transport Layer Security
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...
(TLS) protocol, and is well-supported among wireless vendors. EAP-TLS is the original, standard wireless LAN EAP authentication protocol.
EAP-TLS is still considered one of the most secure EAP standards available, although TLS provides strong security only as long as the user understands potential warnings about false credentials, and is universally supported by all manufacturers of wireless LAN hardware and software. Until April 2005, EAP-TLS was the only EAP type vendors needed to certify for a WPA or WPA2 logo. There are client and server implementations of EAP-TLS in 3Com, Apple,
Avaya
Avaya Holdings Corp., often shortened to Avaya (), is an American multinational technology company headquartered in Durham, North Carolina, that provides cloud communications and workstream collaboration services. The company's platform inclu ...
, Brocade Communications, Cisco, Enterasys Networks, Fortinet, Foundry, Hirschmann, HP, Juniper, Microsoft, and open source operating systems. EAP-
TLS is natively supported in Mac OS X 10.3 and above,
wpa_supplicant
wpa_supplicant is a free software implementation of an IEEE 802.11i supplicant for Linux, FreeBSD, NetBSD, QNX, AROS, Microsoft Windows, Solaris, OS/2 (including ArcaOS and eComStation) and Haiku. In addition to being a WPA3 and WPA2 sup ...
, Windows 2000 SP4, Windows XP and above, Windows Mobile 2003 and above, Windows CE 4.2, and Apple's iOS mobile operating system.
Unlike most TLS implementations of
HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...
, such as on the
World Wide Web
The World Wide Web (WWW), commonly known as the Web, is an information system enabling documents and other web resources to be accessed over the Internet.
Documents and downloadable media are made available to the network through web ...
, the majority of implementations of EAP-TLS require mutual authentication using client-side
X.509
In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secu ...
certificates without giving the option to disable the requirement, even though the standard does not mandate their use.
Some have identified this as having the potential to dramatically reduce adoption of EAP-TLS and prevent "open" but encrypted access points.
On 22 August 2012
hostapd
hostapd (host access point daemon) is a user space daemon software enabling a network interface card to act as an access point and authentication server. There are three implementations: Jouni Malinen's hostapd, OpenBSD's hostapd and Devices ...
(and wpa_supplicant) added support in its
Git
Git () is a distributed version control system: tracking changes in any set of files, usually used for coordinating work among programmers collaboratively developing source code during software development. Its goals include speed, data in ...
repository for an UNAUTH-TLS vendor-specific EAP type (using the hostapd/wpa_supplicant project Private Enterprise Number), and on 25 February 2014 added support for the WFA-UNAUTH-TLS vendor-specific EAP type (using the
Wi-Fi Alliance
The Wi-Fi Alliance is a non-profit organization that owns the Wi-Fi trademark. Manufacturers may use the trademark to brand products certified for Wi-Fi
interoperability.
History
Early 802.11 products suffered from interoperability problems be ...
Private Enterprise Number), which only do server authentication. This would allow for situations much like HTTPS, where a wireless hotspot allows free access and does not authenticate station clients but station clients wish to use encryption (
IEEE 802.11i-2004 i.e.
WPA2) and potentially authenticate the wireless hotspot. There have also been proposals to use
IEEE 802.11u IEEE 802.11u-2011 is an amendment to the IEEE 802.11-2007 standard to add features that improve interworking with external networks.
802.11 is a family of IEEE technical standards for mobile communication devices such as laptop computers or mult ...
for access points to signal that they allow EAP-TLS using only server-side authentication, using the standard EAP-TLS IETF type instead of a vendor-specific EAP type.
The requirement for a client-side certificate, however unpopular it may be, is what gives EAP-TLS its authentication strength and illustrates the classic convenience vs. security trade-off. With a client-side certificate, a compromised password is not enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side certificate; indeed, a password is not even needed, as it is only used to encrypt the client-side certificate for storage. The highest security available is when the "private keys" of client-side certificate are housed in
smart cards. This is because there is no way to steal a client-side certificate's corresponding private key from a smart card without stealing the card itself. It is more likely that the physical theft of a smart card would be noticed (and the smart card immediately revoked) than a (typical) password theft would be noticed. In addition, the private key on a smart card is typically encrypted using a PIN that only the owner of the smart card knows, minimizing its utility for a thief even before the card has been reported stolen and revoked.
EAP-MD5
EAP-MD5 was the only IETF Standards Track based EAP method when it was first defined in the original RFC for EAP, . It offers minimal security; the
MD5 hash function
A hash function is any function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called ''hash values'', ''hash codes'', ''digests'', or simply ''hashes''. The values are usually ...
is vulnerable to
dictionary attack
In cryptanalysis and computer security, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a cipher or authentication mechanism by trying to determine its decryption key or passphrase, sometimes trying thousands o ...
s, and does not support key generation, which makes it unsuitable for use with dynamic WEP, or WPA/WPA2 enterprise. EAP-MD5 differs from other EAP methods in that it only provides authentication of the EAP peer to the EAP server but not mutual authentication. By not providing EAP server authentication, this EAP method is vulnerable to man-in-the-middle attacks. EAP-MD5 support was first included in
Windows 2000
Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was released to manufacturing on December 15, 1999, and was officiall ...
and deprecated in
Windows Vista
Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, which was released five years before, at the time being the longest time span between successive releases of ...
.
EAP Protected One-Time Password (EAP-POTP)
EAP Protected One-Time Password (EAP-POTP), which is described in , is an EAP method developed by RSA Laboratories that uses one-time password (OTP) tokens, such as a handheld hardware device or a hardware or software module running on a personal computer, to generate authentication keys. EAP-POTP can be used to provide unilateral or mutual authentication and key material in protocols that use EAP.
The EAP-POTP method provides two-factor user authentication, meaning that a user needs both physical access to a token and knowledge of a
personal identification number (PIN) to perform authentication.
EAP Pre-Shared Key (EAP-PSK)
EAP Pre-shared key (EAP-PSK), defined in , is an EAP method for mutual authentication and session key derivation using a
pre-shared key (PSK). It provides a protected communication channel, when mutual authentication is successful, for both parties to communicate and is designed for authentication over insecure networks such as IEEE 802.11.
EAP-PSK is documented in an experimental RFC that provides a lightweight and extensible EAP method that does not require any public-key cryptography. The EAP method protocol exchange is done in a minimum of four messages.
EAP Password (EAP-PWD)
EAP Password (EAP-PWD), defined in , is an EAP method which uses a shared password for authentication. The password may be a low-entropy one and may be drawn from some set of possible passwords, like a dictionary, which is available to an attacker. The underlying key exchange is resistant to active attack, passive attack, and dictionary attack.
EAP-PWD is in the base of Android 4.0 (ICS). It is in FreeRADIUS and Radiator RADIUS servers, and it is in hostapd and wpa_supplicant.
EAP Tunneled Transport Layer Security (EAP-TTLS)
EAP Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends
TLS. It was co-developed by
Funk Software
Funk Software was a US-based company that was acquired by Juniper Networks in 2005 for US$ 122 million. The company was founded in 1982 by Paul Funk, and was headquartered in Cambridge, Massachusetts.
The company first became well known in the ...
and
Certicom
BlackBerry Limited is a Canadian software company specializing in cybersecurity. Founded in 1984, it was originally known as Research In Motion (RIM). As RIM, it developed the BlackBerry brand of interactive pagers, smartphones, and tablets ...
and is widely supported across platforms. Microsoft did not incorporate native support for the EAP-TTLS protocol in
Windows XP
Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and ...
,
Vista
Vista usually refers to a distant view.
Vista may also refer to:
Software
*Windows Vista, the line of Microsoft Windows client operating systems released in 2006 and 2007
* VistA, (Veterans Health Information Systems and Technology Architecture) ...
, or
7. Supporting TTLS on these platforms requires third-party Encryption Control Protocol (ECP) certified software.
Microsoft Windows started EAP-TTLS support with
Windows 8
Windows 8 is a major release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on August 1, 2012; it was subsequently made available for download via MSDN and TechNet on August 15, 2012, and later to ...
, support for EAP-TTLS appeared in Windows Phone
version 8.1.
The client can, but does not have to be authenticated via a
CA-signed
PKI certificate to the server. This greatly simplifies the setup procedure since a certificate is not needed on every client.
After the server is securely authenticated to the client via its CA certificate and optionally the client to the server, the server can then use the established secure connection ("tunnel") to authenticate the client. It can use an existing and widely deployed authentication protocol and infrastructure, incorporating legacy password mechanisms and authentication databases, while the secure tunnel provides protection from
eavesdropping
Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information.
Etymology
The verb ''eavesdrop'' is a back-formation from the noun ''eaves ...
and
man-in-the-middle attack
In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
. Note that the user's name is never transmitted in unencrypted clear text, improving privacy.
Two distinct versions of EAP-TTLS exist: original EAP-TTLS (a.k.a. EAP-TTLSv0) and EAP-TTLSv1. EAP-TTLSv0 is described in , EAP-TTLSv1 is available as an Internet draft.
EAP Internet Key Exchange v. 2 (EAP-IKEv2)
EAP Internet Key Exchange v. 2 (EAP-IKEv2) is an EAP method based on the
Internet Key Exchange
In computing, Internet Key Exchange (IKE, sometimes IKEv1 or IKEv2, depending on version) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP.The Internet Key Exch ...
protocol version 2 (IKEv2). It provides mutual authentication and session key establishment between an EAP peer and an EAP server. It supports authentication techniques that are based on the following types of credentials:
;Asymmetric key pairs: Public/private key pairs where the public key is embedded into a
digital certificate
In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the ...
, and the corresponding
private key
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
is known only to a single party.
;Passwords: Low-
entropy
Entropy is a scientific concept, as well as a measurable physical property, that is most commonly associated with a state of disorder, randomness, or uncertainty. The term and the concept are used in diverse fields, from classical thermodynam ...
bit strings that are known to both the server and the peer.
;Symmetric keys: High-entropy bit strings that are known to both the server and the peer.
It is possible to use a different authentication
credential (and thereby technique) in each direction. For example, the EAP server authenticates itself using public/private key pair and the EAP peer using symmetric key. In particular, the following combinations are expected to be used in practice:
EAP-IKEv2 is described in , and
prototype implementationexists.
EAP Flexible Authentication via Secure Tunneling (EAP-FAST)
Flexible Authentication via Secure Tunneling (EAP-FAST; ) is a protocol proposal by
Cisco Systems
Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...
as a replacement for
LEAP. The protocol was designed to address the weaknesses of LEAP while preserving the "lightweight" implementation. Use of server certificates is optional in EAP-FAST. EAP-FAST uses a Protected Access Credential (PAC) to establish a TLS tunnel in which client credentials are verified.
EAP-FAST has three phases:
When automatic PAC provisioning is enabled, EAP-FAST has a slight vulnerability where an attacker can intercept the PAC and use that to compromise user credentials. This vulnerability is mitigated by manual PAC provisioning or by using server certificates for the PAC provisioning phase.
It is worth noting that the PAC file is issued on a per-user basis. This is a requirement in sec 7.4.4 so if a new user logs on the network from a device, a new PAC file must be provisioned first. This is one reason why it is difficult not to run EAP-FAST in insecure anonymous provisioning mode. The alternative is to use device passwords instead, but then the device is validated on the network not the user.
EAP-FAST can be used without PAC files, falling back to normal TLS.
EAP-FAST is natively supported in Apple OS X 10.4.8 and newer.
Cisco
Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...
supplies an EAP-FAST module for
Windows Vista
Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, which was released five years before, at the time being the longest time span between successive releases of ...
and later operating systems which have an extensible EAPHost architecture for new authentication methods and supplicants.
Tunnel Extensible Authentication Protocol (TEAP)
Tunnel Extensible Authentication Protocol (TEAP; ) is a tunnel-based EAP method that enables secure communication between a peer and a server by using the Transport Layer Security (TLS) protocol to establish a mutually authenticated tunnel. Within the tunnel, TLV (Type-Length-Value) objects are used to convey authentication-related data between the EAP peer and the EAP server.
In addition to peer authentication, TEAP allows peer to ask the server for certificate by sending request in
PKCS#10 format and the server can provision certificate to the peer in
fc:2315 PKCS#7format. The server can also distribute trusted root certificates to the peer in
fc:2315 PKCS#7format. Both operations are enclosed into the corresponding TLVs and happen in the secure way inside previously established TLS tunnel.
EAP Subscriber Identity Module (EAP-SIM)
EAP
Subscriber Identity Module
A typical SIM card (mini-SIM with micro-SIM cutout)
A GSM mobile phone
file:Simkarte NFC SecureElement.jpg, T-Mobile nano-SIM card with NFC capabilities in the SIM tray of an iPhone 6s
file:Tf sim both sides.png, A TracFone Wireless SIM card ha ...
(EAP-SIM) is used for authentication and session key distribution using the subscriber identity module (SIM) from the Global System for Mobile Communications (
GSM
The Global System for Mobile Communications (GSM) is a standard developed by the European Telecommunications Standards Institute (ETSI) to describe the protocols for second-generation ( 2G) digital cellular networks used by mobile devices such ...
).
GSM cellular networks use a subscriber identity module card to carry out user authentication. EAP-SIM use a SIM authentication algorithm between the client and an
Authentication, Authorization and Accounting (AAA) server providing mutual authentication between the client and the network.
In EAP-SIM the communication between the SIM card and the Authentication Centre (AuC) replaces the need for a pre-established password between the client and the AAA server.
The A3/A8 algorithms are being run a few times, with different 128 bit challenges, so there will be more 64 bit Kc-s which will be combined/mixed to create stronger keys (Kc-s won't be used directly). The lack of mutual authentication in GSM has also been overcome.
EAP-SIM is described in .
EAP Authentication and Key Agreement (EAP-AKA)
Extensible Authentication Protocol Method for
Universal Mobile Telecommunications System
The Universal Mobile Telecommunications System (UMTS) is a third generation mobile cellular system for networks based on the GSM standard. Developed and maintained by the 3GPP (3rd Generation Partnership Project), UMTS is a component of the In ...
(UMTS) Authentication and Key Agreement (EAP-AKA), is an EAP mechanism for authentication and session key distribution using the UMTS Subscriber Identity Module (
USIM). EAP-AKA is defined in .
EAP Authentication and Key Agreement
prime
A prime number (or a prime) is a natural number greater than 1 that is not a product of two smaller natural numbers. A natural number greater than 1 that is not prime is called a composite number. For example, 5 is prime because the only ways ...
(EAP-AKA')
The EAP-AKA' variant of EAP-AKA, defined in , and is used for non-3GPP access to a
3GPP core network. For example, via
EVDO,
WiFi
Wi-Fi () is a family of wireless network protocols, based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio wa ...
, or
WiMax
Worldwide Interoperability for Microwave Access (WiMAX) is a family of wireless broadband communication standards based on the IEEE 802.16 set of standards, which provide physical layer (PHY) and media access control (MAC) options.
The WiMAX ...
.
EAP Generic Token Card (EAP-GTC)
EAP Generic Token Card, or EAP-GTC, is an EAP method created by Cisco as an alternative to PEAPv0/EAP-MSCHAPv2 and defined in and . EAP-GTC carries a text challenge from the authentication server, and a reply generated by a
security token
A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to or in place of a password. It acts like an electronic key to access something. Examples of security tokens inc ...
. The PEAP-GTC authentication mechanism allows generic authentication to a number of databases such as
Novell Directory Service (NDS) and
Lightweight Directory Access Protocol
The Lightweight Directory Access Protocol (LDAP ) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory ser ...
(LDAP), as well as the use of a
one-time password
A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid seve ...
.
EAP Encrypted Key Exchange (EAP-EKE)
EAP with the
encrypted key exchange
Encrypted Key Exchange (also known as EKE) is a family of password-authenticated key agreement methods described by Steven M. Bellovin and Michael Merritt. Although several of the forms of EKE in this paper were later found to be flawed , the sur ...
, or EAP-EKE, is one of the few EAP methods that provide secure mutual authentication using short passwords and no need for
public key certificates. It is a three-round exchange, based on the
Diffie-Hellman variant of the well-known EKE protocol.
EAP-EKE is specified in .
Nimble out-of-band authentication for EAP (EAP-NOOB)
Nimble out-of-band authentication for EAP (EAP-NOOB) is a generic bootstrapping solution for devices which have no pre-configured authentication credentials and which are not yet registered on any server. It is especially useful for Internet-of-Things (IoT) gadgets and toys that come with no information about any owner, network or server. Authentication for this EAP method is based on a user-assisted out-of-band (OOB) channel between the server and peer. EAP-NOOB supports many types of OOB channels such as QR codes, NFC tags, audio etc. and unlike other EAP methods, the protocol security has been verified by formal modeling of the specification with
ProVerif and
MCRL2
mCRL2 is a specification language for describing concurrent discrete event systems. It is accompanied with a toolset, that facilitates tools, techniques and methods for simulation, analysis and visualization of behaviour. The behavioural part of th ...
tools.
EAP-NOOB performs an Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) over the in-band EAP channel. The user then confirms this exchange by transferring the OOB message. Users can transfer the OOB message from the peer to the server, when for example, the device is a smart TV that can show a QR code. Alternatively, users can transfer the OOB message from the server to the peer, when for example, the device being bootstrapped is a camera that can only read a QR code.
Encapsulation
EAP is not a wire protocol; instead it only defines message formats. Each protocol that uses EAP defines a way to
encapsulate EAP messages within that protocol's messages.
IEEE 802.1X
The encapsulation of EAP over
IEEE 802
IEEE 802 is a family of Institute of Electrical and Electronics Engineers (IEEE) standards for local area networks (LAN), personal area network (PAN), and metropolitan area networks (MAN). The IEEE 802 LAN/MAN Standards Committee (LMSC) mainta ...
is defined in
IEEE 802.1X and known as "EAP over LANs" or EAPOL. EAPOL was originally designed for
IEEE 802.3 ethernet in 802.1X-2001, but was clarified to suit other IEEE 802 LAN technologies such as
IEEE 802.11
IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer commun ...
wireless and
Fiber Distributed Data Interface
Fiber Distributed Data Interface (FDDI) is a standard for data transmission in a local area network.
It uses optical fiber as its standard underlying physical medium, although it was also later specified to use copper cable, in which case it m ...
(ANSI X3T9.5/X3T12, adopted as ISO 9314) in 802.1X-2004. The EAPOL protocol was also modified for use with
IEEE 802.1AE
IEEE 802.1AE (also known as MACsec) is a network security standard that operates at the medium access control layer and defines connectionless data confidentiality and integrity for media access independent protocols. It is standardized by the I ...
(MACsec) and
IEEE 802.1AR
The Institute of Electrical and Electronics Engineers (IEEE) is a 501(c)(3) professional association for electronic engineering and electrical engineering (and associated disciplines) with its corporate office in New York City and its operation ...
(Initial Device Identity, IDevID) in 802.1X-2010.
When EAP is invoked by an 802.1X enabled
Network Access Server
A network access server (NAS) is a group of components that provides remote users with a point of access to a network.
Overview
A NAS concentrates dial-in and dial-out user communications. An access server may have a mixture of analog and digita ...
(NAS) device such as an
IEEE 802.11i-2004 Wireless Access Point (WAP), modern EAP methods can provide a secure authentication mechanism and negotiate a secure private key (Pair-wise Master Key, PMK) between the client and NAS which can then be used for a wireless encryption session utilizing
TKIP or
CCMP (based on
AES) encryption.
PEAP
The
Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates EAP within a potentially encrypted and authenticated
Transport Layer Security
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...
(TLS)
tunnel
A tunnel is an underground passageway, dug through surrounding soil, earth or rock, and enclosed except for the entrance and exit, commonly at each end. A pipeline is not a tunnel, though some recent tunnels have used immersed tube cons ...
.
The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided.
PEAP was jointly developed by Cisco Systems, Microsoft, and RSA Security. PEAPv0 was the version included with
Microsoft
Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washin ...
Windows XP
Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and ...
and was nominally defined i
draft-kamath-pppext-peapv0-00 PEAPv1 and PEAPv2 were defined in different versions of ''draft-josefsson-pppext-eap-tls-eap''. PEAPv1 was defined i
draft-josefsson-pppext-eap-tls-eap-00throug
draft-josefsson-pppext-eap-tls-eap-05 and PEAPv2 was defined in versions beginning wit
draft-josefsson-pppext-eap-tls-eap-06
The protocol only specifies chaining multiple EAP mechanisms and not any specific method.
Use of the
EAP-MSCHAPv2
: ''PEAP is also an acronym for Personal Egress Air Packs.''
Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypt ...
and
EAP-GTC
: ''PEAP is also an acronym for Personal Egress Air Packs.''
Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypt ...
methods are the most commonly supported.
RADIUS and Diameter
Both the
RADIUS
In classical geometry, a radius ( : radii) of a circle or sphere is any of the line segments from its center to its perimeter, and in more modern usage, it is also their length. The name comes from the latin ''radius'', meaning ray but also the ...
and
Diameter
In geometry, a diameter of a circle is any straight line segment that passes through the center of the circle and whose endpoints lie on the circle. It can also be defined as the longest chord of the circle. Both definitions are also valid fo ...
AAA protocol
AAA refers to Authentication (to identify), Authorization (to give permission) and Accounting (to log an audit trail).
It is a framework used to control and track access within a computer network.
Common network protocols providing this functio ...
s can encapsulate EAP messages. They are often used by
Network Access Server
A network access server (NAS) is a group of components that provides remote users with a point of access to a network.
Overview
A NAS concentrates dial-in and dial-out user communications. An access server may have a mixture of analog and digita ...
(NAS) devices to forward EAP packets between IEEE 802.1X endpoints and AAA servers to facilitate IEEE 802.1X.
PANA
The
(PANA) is an IP-based protocol that allows a device to authenticate itself with a network to be granted access. PANA will not define any new authentication protocol, key distribution, key agreement or key derivation protocols; for these purposes, EAP will be used, and PANA will carry the EAP payload. PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from the link layer mechanisms.
PPP
EAP was originally an authentication extension for the
Point-to-Point Protocol (PPP). PPP has supported EAP since EAP was created as an alternative to the
Challenge-Handshake Authentication Protocol In computing, the Challenge-Handshake Authentication Protocol (CHAP) is an authentication protocol originally used by Point-to-Point Protocol (PPP) to validate users. CHAP is also carried in other authentication protocols such as RADIUS and Diamet ...
(CHAP) and the
Password Authentication Protocol Password Authentication Protocol (PAP) is a password-based authentication protocol used by Point-to-Point Protocol (PPP) to validate users. PAP is specified in .
Almost all network operating systems support PPP with PAP, as do most network access ...
(PAP), which were eventually incorporated into EAP. The EAP extension to PPP was first defined in , now obsoleted by .
See also
*
Authentication protocol
An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for transfer of authentication data between two entities. It allows the receiving entity to authenticate the connecting entity ...
*
Handover keying
*
ITU-T
The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors (divisions or units) of the International Telecommunication Union (ITU). It is responsible for coordinating standards for telecommunications and Information Comm ...
X.1035
References
Further reading
* "AAA and Network Security for Mobile Access. RADIUS, DIAMETER, EAP, PKI and IP mobility". M Nakhjiri. John Wiley and Sons, Ltd.
External links
* : Extensible Authentication Protocol (EAP) (June 2004)
* : Extensible Authentication Protocol (EAP) Key Management Framework (August 2008)
Configure RADIUS for secure 802.1x wireless LANHow to self-sign a RADIUS server for secure PEAP or EAP-TTLS authenticationExtensible Authentication Protocolon Microsoft TechNet
EAPHost in Windows Vista and Windows Server 2008WIRE1x*
{{Authority control
Wireless networking
Authentication protocols