What is the Extensible Authentication Protocol (EAP)?
The Extensible Authentication Protocol (EAP) is designed to provide a framework for universal authentication. EAP can be expanded and adapted in various ways to fit the unique authentication needs of an application and its clients. For example, the different EAP methods use various methods for securing the communications channel (TLS, etc.) and for authenticating a user’s identity (password, digital certificates, etc.).
How Does EAP Work?
EAP is used to enable authentication of a user or “peer” to a network or other system using EAP for authentication. The role of the authenticator is to verify the identity of the peer using the authentication methods or protocols implemented by the algorithm.
An EAP authentication session is a multi-stage process. The key steps include:
- Initiation: A client connecting to a network will send an EAP-Start message to the authenticator to kick off an EAP session and indicate its desire to connect.
- Negotiation: The authenticator will reply with an EAP-Request method asking the user for their identity.
- Authentication: An EAP-Response message will include the user’s identity and authentication information, such as a username and password, digital certificate, etc.
- Verification: The EAP authenticator will use the provided information to verify the user’s identity. After verification is complete, the authenticator will send an EAP-Success or EAP-Failure message based on the result of the authentication.
At the end of the EAP session, the authenticator has verified the client’s identity. It can then grant or block access to the requested network.
Common EAP Methods
One of the main selling points of EAP is that it is a flexible and extensible authentication protocol, which allows it to be adapted in various ways. Numerous EAP methods exist, including:
- EAP-TLS: EAP-TLS is built on the Transport Layer Security (TLS) protocol, which provides confidentiality, integrity, and authentication. EAP-TLS requires both the client and server to have digital certificates and offers mutual authentication.
- EAP-TTLS: EAP-TTLS works similarly to EAP-TLS, but it only requires the server to use a digital certificate for authentication.
- EAP-FAST: EAP-FAST is an EAP method designed by Cisco. It creates a secure tunnel for authentication traffic to flow over.
- PEAP: Protected EAP (PEAP) uses TLS and server-side certificates to create a secure, encrypted tunnel. The client is then authenticated inside that tunnel using a different EAP variant.
How is EAP Used?
EAP is commonly used to authenticate a user and device to a network. Some common applications of EAP include:
- Wireless Access: EAP can be used to augment WPA/WPA2 protocols for securing access to a wireless network.
- Virtual Private Networks: For remote users connecting over a virtual private network (VPN), an organization may use EAP to authenticate the user’s identity.
- Network Access Control: An enterprise may use EAP as part of its network access control (NAC) to verify devices before allowing them to communicate over the corporate LAN.
EAP is a protocol designed to act as a framework for implementing authentication to a network. Numerous EAP methods exist, which use various methods to verify the client’s identity and to protect the confidentiality of the authentication session.