# EAP 101

EAP (Extensible Authentication Protocol) is a general protocol for authentication that supports multiple authentication methods.  EAP doesn't specify the type of authentication to use, but rather the authentication steps

EAP consists of 4 packets:

* **EAP Request**: Authenticator sends the request packe to the supplicant.&#x20;
* **EAP Response**: The suplicant sends the response packet to the authenticator and uses a sequence number to identify each request.
  * One response could be NAK which means the authentication method is not supported
* **EAP Success**: The authenticator sends the success packet to the supplicant after a succesful authentication
* **EAP Failure**: The authenticator sends the success packet to the supplicant after a failed authentication

## EAP Types

The most common forms of EAP are:

| EAP Types                   | EAP-TLS   | PEAP             | EAP-FAST | EAP-TTLS       | LEAP   |
| --------------------------- | --------- | ---------------- | -------- | -------------- | ------ |
| Mutual Authentication       | YES       | YES              | YES      | YES            | YES    |
| Client certificate required | YES       | NO               | NO       | NO             | NO     |
| Server certificate required | YES       | YES              | Optional | YES            | NO     |
| Wi-Fi Security              | Very High | High             | High     | High           | Medium |
| Provider                    | Microsoft | Microsoft, Cisco | Cisco    | Funk (Juniper) | Cisco  |
| Rogue AP Detection          | No        | No               | Yes      | No             | No     |

### EAP-TLS

It is very secure but requires client certificates so a PKI infrastructure should be in place.&#x20;

### PEAP

It requires only server side certificate and it is supported by Cisco and Microsoft. There are 2 implementations: **PEAP-GTC** (generic implementation) and **PEAP-MS-CHAPv2** (works with Microsoft AD)

### EAP-FAST

It aims to provide as much security as EAP-TLS but without the need to manage certificates on client or server side.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ccie.nyquist.eu/security/eap-101.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.