(
Extensible
Authentication
Protocol) A transport for authentication protocols. Using its own start and end messages, EAP carries any number of third-party messages between the client (supplicant) and access control node such as an access point. EAP methods are used mostly in wireless networks but also in wired networks.
EAP and Ethernet
EAP originated with the dial-up PPP protocol in order to provide support beyond the PAP and CHAP authentication protocols. For use on wired networks, EAP Over LAN (EAPOL) allowed an Ethernet header to be prefixed onto EAP messages so they could be transmitted via Ethernet. There are many EAP protocols, and following is a sample. See
PAP,
CHAP,
802.1X,
WPA and
802.11i.
EAP-TLS (EAP-Transport Layer Security)
Uses the handshake protocol in TLS, not its encryption method. Client and server authenticate each other using digital certificates. The client generates a pre-master secret key by encrypting a random number with the server's public key and sends it to the server. Both client and server use the pre-master to generate the same secret key.
EAP-TTLS (EAP-Tunneled TLS)
With EAP-TTLS, only the server has a certificate to authenticate itself to the client first. As in EAP-TLS, a secure connection ("tunnel") is established with secret keys, but that connection is used to continue the authentication process by authenticating the client and possibly the server again using any EAP or legacy method such as PAP and CHAP.
PEAP (Protected EAP)
Similar to EAP-TTLS except that it does not support legacy methods. It only moves EAP frames.
LEAP (Light EAP, Cisco LEAP)
From Cisco, LEAP was the first implementation of EAP and 802.1X for wireless networks. LEAP uses preshared keys and the MS-CHAP protocol to authenticate client and server to each other. The server generates a session key that it sends to the access point. The client computes the session key independently based on data received in the CHAP challenge. See
CHAP.
FAST (Flexible Authentication via Secure Tunneling)
A LEAP enhancement from Cisco, EAP-FAST provides an encrypted tunnel to distribute preshared "Protected Access Credential" (PAC) keys. PAC keys may be continuously refreshed to prevent dictionary at tacks. EAP-FAST is defined in Cisco Compatible Extensions (see
CCX).
SIM
EAP-SIM is used in GSM cellphones that switch between cellular and Wi-Fi. The SIM card in the phone contains the secret key used for challenge-response authentication and deriving session keys for encryption. See
GSM and
SIM.