EAP 101

EAP (Extensible Authentication Protocol) is a general protocol for authentication that supports multiple authentication methods. EAP doesn't specify the type of authentication to use, but rather the authentication steps

EAP consists of 4 packets:

  • EAP Request: Authenticator sends the request packe to the supplicant.

  • EAP Response: The suplicant sends the response packet to the authenticator and uses a sequence number to identify each request.

    • One response could be NAK which means the authentication method is not supported

  • EAP Success: The authenticator sends the success packet to the supplicant after a succesful authentication

  • EAP Failure: The authenticator sends the success packet to the supplicant after a failed authentication

EAP Types

The most common forms of EAP are:

EAP TypesEAP-TLSPEAPEAP-FASTEAP-TTLSLEAP

Mutual Authentication

YES

YES

YES

YES

YES

Client certificate required

YES

NO

NO

NO

NO

Server certificate required

YES

YES

Optional

YES

NO

Wi-Fi Security

Very High

High

High

High

Medium

Provider

Microsoft

Microsoft, Cisco

Cisco

Funk (Juniper)

Cisco

Rogue AP Detection

No

No

Yes

No

No

EAP-TLS

It is very secure but requires client certificates so a PKI infrastructure should be in place.

PEAP

It requires only server side certificate and it is supported by Cisco and Microsoft. There are 2 implementations: PEAP-GTC (generic implementation) and PEAP-MS-CHAPv2 (works with Microsoft AD)

EAP-FAST

It aims to provide as much security as EAP-TLS but without the need to manage certificates on client or server side.

Last updated