EAP 101
EAP (Extensible Authentication Protocol) is a general protocol for authentication that supports multiple authentication methods. EAP doesn't specify the type of authentication to use, but rather the authentication steps
EAP consists of 4 packets:
EAP Request: Authenticator sends the request packe to the supplicant.
EAP Response: The suplicant sends the response packet to the authenticator and uses a sequence number to identify each request.
One response could be NAK which means the authentication method is not supported
EAP Success: The authenticator sends the success packet to the supplicant after a succesful authentication
EAP Failure: The authenticator sends the success packet to the supplicant after a failed authentication
EAP Types
The most common forms of EAP are:
| EAP Types | EAP-TLS | PEAP | EAP-FAST | EAP-TTLS | LEAP |
|---|---|---|---|---|---|
Mutual Authentication | YES | YES | YES | YES | YES |
Client certificate required | YES | NO | NO | NO | NO |
Server certificate required | YES | YES | Optional | YES | NO |
Wi-Fi Security | Very High | High | High | High | Medium |
Provider | Microsoft | Microsoft, Cisco | Cisco | Funk (Juniper) | Cisco |
Rogue AP Detection | No | No | Yes | No | No |
EAP-TLS
It is very secure but requires client certificates so a PKI infrastructure should be in place.
PEAP
It requires only server side certificate and it is supported by Cisco and Microsoft. There are 2 implementations: PEAP-GTC (generic implementation) and PEAP-MS-CHAPv2 (works with Microsoft AD)
EAP-FAST
It aims to provide as much security as EAP-TLS but without the need to manage certificates on client or server side.
Last updated