Extensive Authentication Protocol

Extensive Authentication Protocol (EAP) is an authentication framework, not an actual protocol like PAP or CHAP.

EAP allows customized authentication security solutions, such as supporting smartcards, tokens, and biometrics.

EAP is often used in network communication protocols, such as those for wireless networks (like Wi-Fi) and Virtual Private Networks (VPNs). When it is used for WiFi, it works in OSI layer 2 “Data Link” and receives the name of EAP over LAN (EAPOL). When it is used for VPNs, it works in the OSI layer 3.

EAP was originally designed for use over physically isolated channel and thus assumed secured pathways. Some EAP methods use encryption, but other not.

EAP and IEEE 802.1X

IEEE 802.1X relies on the use of encapsulated EAP to support a wide range of authentication options.

EAP Methods

There are over 40 EAP methods or derivatives defined.

EAP methos featured on this post:

  • LEAP
  • PEAP
  • EAP-SIM
  • EAP-FAST
  • EAP-MD5
  • EAP-POTP
  • EAP-TLS
  • EAP-TTLS

LEAP

Deprecated

Lightweight EAP (LEAP) was developed before WPA2 existed, and it should no longer be used.

It was a Cisco proprietary technology.

PEAP

Protected EAP (PEAP) encapsulates EAP in a TLS tunnel.

It is safer than EAP, as PEAP imposes its own security.

EAP-SIM

EAP Subscriber Identity Module (EAP-SIM) is used to authenticate mobile devices over a GSM network.

EAP-FAST

Deprecated

EAP Flexible Authentication via Secure Tunneling (EAP-FAST) was developed before WPA2 existed, and it should no longer be used.

It was a Cisco proprietary technology.

EAP-MD5

Deprecated

EAP-MD5 is obsolete because it uses the deprecated algorithm MD5.

EAP-POTP

EAP Protected One-time Password (POTP) supports the use of OTP tokens in multifaction authentication (MFA).

EAP-TLS

EAP Transport Layer Security (EAP-TLS) is an open IETF standard that implements the TLS protocol. It works better when both endpoints have a digital certificate.

EAP-TTLS

EAP Tunneled Transport Layer Security (EAP-TTLS) is an extension of TLS that creates a VPN-linke tunnel between endpoints prior to authentication.

It is safer than EAP-TLS because even the username is not transmitted in cleartext.

You might also be interested in…

External References

  • Chapman et al; “CISSP Official Study Guide 9th Edition”, 583-585; Wiley, 2021

Leave a Reply

Your email address will not be published. Required fields are marked *