What does EAP stand for – description of EAP (Extensible Authentication Protocol)

What does EAP stand for – description of the EAP or Extensible Authentication Protocol. It is based on IEEE 802.1x standard for port-based Network Access Control. There are 3 boxes involved in the EAP security authentication:

1) Wireless client – or Supplicant as they call it in EAP

2) Access Point – or Authenticator as they call it in EAP

3) RADIUS server – or Authentication Server as they call it in EAP

The flow of the authentication process is the following

1) When there is a new client in WLAN network, Access Point (or you could call it wireless router) opens a port for that client. But this port is in the unauthenticated state. This means that Access Point allows only EAP traffic to the new clients. Client cannot go to the Internet and cannot use other resources of the local network.

2) Access Point sends an EAP request to the Wireless client, and WLAN client sends him back EAP response.

3) Access Point forwards this EAP request to the RADIUS server. This means that Access Point do not decide shall it allow access for new WLAN clients. This decision is made in RADIUS server. The RADIUS server has the list of users and their credentials. This could be username and password or digital certificate. If these credentials are OK for that particular wireless client, Access Point allows normal traffic for that wireless client.

4) In this state WLAN client has normal access to the network and internet.

Now when you know what does EAP stand for, let's see all the different version of the EAP security protocol:

1) LEAP or Lightweight Extensible Authentication Protocol
It is developed by Cisco with the intention of improving WEP. The authentication uses changed version of the MS-CHAP protocol.

2) EAP-TLS – EAP or Transport Layer Security
This EAP version is supported by many vendors. Authentication is based on PKI (public key infrastructure). The best security is accomplished by using of smart cards on client side.

3) EAP-MD5Offers minimal security and have security weaknesses for dictionary attacks and man in the middle attacks.

4) EAP-PSK (Pre-Shared Key)
This lightweight EAP method doesn’t require any public-key cryptography. Authentication with the use of pre-shared key is used.

5) EAP-TTLS (Tunneled Transport Layer Security)
This EAP version is the extension of the TLS. It offers very good security without the need that all clients in the network need to have installed certificates.

6) EAP-FAST (Flexible Authentication via Secure Tunneling)
It is designed by Cisco as a solution for the weaknesses of LEAP. Uses PAC – Protected Access Credentials file which is the certificate which each user have when using this kind of EAP.

7) EAP-IKEv2 (Internet Key Exchange)
EAP based on IKEv2 or Internet Key Exchange protocol version 2. It provides the session key establishment and mutual authentication between client and client.

8) EAP-EKE (Encryption Key Exchange)
Provide authentication with usage of short passwords.

9) EAP-GTC (Generic Token Card)
Alternative for PEAPv0/EAP-MSCHAPc2 developed by Cisco.

10) EAP-SIM (Subscriber Identity Module)
Authentication used for GSM operators with 128 but challenges.

11) EAP-AKA (Authentication and Key Agreement)
There are 2 versions of EAP-AKA, one for UMTS and another for WiFi and WiMAX.

After reading this article about what does EAP stand for, my recommendation is to read about a server that is crucial in all these EAP security methods - RADIUS server.

New! Comments