Extensive Authentication Protocol (EAP) is an authentication framework, not an actual protocol like PAP or CHAP.
EAP allows customized authentication security solutions, such as supporting smartcards, tokens, and biometrics.
EAP is often used in network communication protocols, such as those for wireless networks (like Wi-Fi) and Virtual Private Networks (VPNs). When it is used for WiFi, it works in OSI layer 2 “Data Link” and receives the name of EAP over LAN (EAPOL). When it is used for VPNs, it works in the OSI layer 3.
EAP was originally designed for use over physically isolated channel and thus assumed secured pathways. Some EAP methods use encryption, but other not.
EAP and IEEE 802.1X
IEEE 802.1X relies on the use of encapsulated EAP to support a wide range of authentication options.
EAP Methods
There are over 40 EAP methods or derivatives defined.
EAP methos featured on this post:
- LEAP
- PEAP
- EAP-SIM
- EAP-FAST
- EAP-MD5
- EAP-POTP
- EAP-TLS
- EAP-TTLS
LEAP
Deprecated
Lightweight EAP (LEAP) was developed before WPA2 existed, and it should no longer be used.
It was a Cisco proprietary technology.
PEAP
Protected EAP (PEAP) encapsulates EAP in a TLS tunnel.
It is safer than EAP, as PEAP imposes its own security.
EAP-SIM
EAP Subscriber Identity Module (EAP-SIM) is used to authenticate mobile devices over a GSM network.
EAP-FAST
Deprecated
EAP Flexible Authentication via Secure Tunneling (EAP-FAST) was developed before WPA2 existed, and it should no longer be used.
It was a Cisco proprietary technology.
EAP-MD5
Deprecated
EAP-MD5 is obsolete because it uses the deprecated algorithm MD5.
EAP-POTP
EAP Protected One-time Password (POTP) supports the use of OTP tokens in multifaction authentication (MFA).
EAP-TLS
EAP Transport Layer Security (EAP-TLS) is an open IETF standard that implements the TLS protocol. It works better when both endpoints have a digital certificate.
EAP-TTLS
EAP Tunneled Transport Layer Security (EAP-TTLS) is an extension of TLS that creates a VPN-linke tunnel between endpoints prior to authentication.
It is safer than EAP-TLS because even the username is not transmitted in cleartext.
You might also be interested in…
External References
- Chapman et al; “CISSP Official Study Guide 9th Edition”, 583-585; Wiley, 2021