Back to the future with this Airheads Online article from June 2007
The Extensible Authentication Protocol (EAP) or RFC 3748 is, very simply, a transport protocol that has been optimized for authentication. It is important to note that EAP is not, in itself, an authentication protocol, even though it is often referred to that way. The EAP protocol expands on authentication methods used by the Point- to-Point Protocol (PPP). EAP can support multiple authentication mechanisms such as token cards, smart cards, digital certificates, one- time passwords, and public key encryption. This section will focus on the popular EAP/authentication combinations and discuss how each works within a wireless security framework. In this article, EAP is always used in a wireless LAN context – therefore a more correct name for the EAP protocol is EAPOL, or EAP over LAN.
How EAP Works
Here's how it works: a user requests connection to a wireless network through an access point. The access point requests identification data from the user and transmits that data to an authentication server. The authentication server asks the access point for proof of the validity of the credentials. After the access point obtains that verification from the user and sends it back to the authentication server, the user is connected to the network as requested. There are many different types or “flavors” of EAP. The difference between these is in how the identification credentials are requested and transmitted.
There are many different combinations of EAP and authentication types. A complete listing is available at http://www.iana.org/assignments/eap- numbers. The following list offers a description of the most popular versions as well as some design considerations:
Each combination of EAP plus an authentication type offers a unique approach to authentication. Which one to use is generally determined by the level of security required, the amount of administrative/management overhead desired, and the limitations of the clients (supplicants) that will implement EAP as well as the capabilities of the RADIUS servers used in the deployment.
The following table provides a side-by-side comparison of the EAP types:
Based on this table, we can draw some reasonably clear conclusions:
Hello, I wanted to know that in an EAP exchange is the request message necessary to be sent by the authenticator to peer? Can peer send the EAP request message first as part of actual authentication exchange?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.