This work is licensed with a
Creative Commons Attribution 4.0 International LicenseEndFragment
This material was developed with funding
from the National Science Foundation
Extensible Authentication Protocol (EAP)
EAP Identity Response
EAP Request - EAP Type
EAP Response - EAP Type
Forward Identity to ACS Server
The laptop needs to send data to another device on the network
EAP - Protocol Flow
EAP Identity Request
Authentication conversation is between client and Authentication Server
802.11 Communication Request
Lightweight Extensible Authentication Protocol (LEAP) encrypts data transmissions using dynamically generated WEP keys, and supports mutual authentication. Cisco developed the LEAP method.
Protected Extensible Authentication Protocol (PEAP) provides a method to transport securely authentication data, including legacy password-based protocols, via 802.11 Wi-Fi networks. PEAP accomplishes this by using tunneling between PEAP clients and an authentication server. Like the competing standard Tunneled Transport Layer Security (TTLS), PEAP authenticates Wi-Fi LAN clients using only server-side certificates, thus simplifying the implementation and administration of a secure Wi-Fi LAN. Cisco Systems, Microsoft, and RSA Security jointly developed PEAP.
There are several variations or methods of Extensible Authentication Protocol (EAP) authentication.
Message Digest (MD5) Challenge is an EAP authentication method that provides base-level EAP support. EAP-MD-5 is typically not recommended for Wi-Fi LAN implementations because it may allow the user's password to be derived. It provides for only one-way authentication - there's no mutual authentication of Wi-Fi client and the network. And very importantly it doesn't provide a means to derive dynamic, per session wired equivalent privacy (WEP) keys. Windows 2000 first included EAP-MD5 support, but it was deprecated in Windows Vista.
Transport Layer Security (TLS) provides for certificate-based and mutual authentication of the client and the network. It relies on client-side and server-side certificates to perform authentication and can be used to dynamically generate user-based and session-based WEP keys to secure subsequent communications between the WLAN client and the access point. One drawback of EAP-TLS is that certificates must be managed on both the client and server side. For a large WLAN installation, this could be a very cumbersome task. EAP-TLS is an open standard and is the original, standard wireless LAN EAP authentication protocol.
Tunneled Transport Layer Security (TTLS) is an extension of EAP-TLS. This security method provides for certificate-based, mutual authentication of the client and network through an encrypted channel (or tunnel), as well as a means to derive dynamic, per-user, per-session WEP keys. Unlike EAP-TLS, EAP-TTLS requires only server-side certificates. EAP-TTLS is widely supported across many platforms, but Microsoft did not support it until Windows 8.
EAP and 802.1X
Router, access point, switch or VPN concentrator which facilitates communication beween the device and RADIUS server
Extensible Authentication Protocol (EAP) in an authentication framework which provides a secure way to send identifying information for network authentication. EAP provides several authentication mechanisms: one-time passwords, smart cards, public-key encryption authentication, and digital certificates. 802.1X is the standard used for passing EAP over wired and wireless LANs.
An authentication database
(usually a Radius server) to
A software client running on a device such as a laptop, desktop, mobile device
click on each 802.1X component
802.1X restricts network access until the client authenticates. A wireless client can still connect to an AP without authenticating, but it cannot send data to other parts of the network. Only users with an authentication key or password gain network access via a specific portal. This limits the number of users and helps prevent network congestion; networks are faster and more secure.