Extensible Authentication Protocol (EAP)

Extensible Authentication Protocol (EAP) is an authentication framework, not a specific authentication mechanism, frequently used in wireless networks and point-to-point connections. It provides some common functions and negotiation of authentication methods called EAP methods.

The EAP protocol can support multiple authentication mechanisms without having to pre-negotiate a particular one. There are currently about 40 different methods defined.

EAP authentication is initiated by the server (authenticator), whereas many other authentication protocols are initiated by the client (peer). The EAP authentication exchange proceeds as follows:

1) The authenticator (the server) sends a Request to authenticate the peer (the client).

2) The peer sends a Response packet in reply to a valid Request.

3) The authenticator sends an additional Request packet, and the peer replies with a Response. The sequence of Requests and Responses continues as long as needed. EAP is a ‘lock step’ protocol, so that other than the initial Request, a new Request cannot be sent prior to receiving a valid Response.

4) The conversation continues until the authenticator cannot authenticate the peer (unacceptable Responses to one or more Requests), in which case the authenticator implementation MUST transmit an EAP Failure (Code 4). Alternatively, the authentication conversation can continue until the authenticator determines that successful authentication has occurred, in which case the authenticator MUST transmit an EAP Success (Code 3).

 

Frequently Asked Questions
What is EAP Extensible Authentication Protocol?

EAP is an authentication framework, not a specific authentication mechanism, frequently used in wireless networks and point-to-point connections. It provides some common functions and negotiation of authentication methods called EAP methods.

What is EAP authentication process?

The EAP authentication exchange proceeds as follows:

  • The authenticator (the server) sends a Request to authenticate the peer (the client).
  • The peer sends a Response packet in reply to a valid Request.
  • The authenticator sends an additional Request packet, and the peer replies with a Response. The sequence of Requests and Responses continues as long as needed.  EAP is a ‘lock step’ protocol, so that other than the initial Request, a new Request cannot be sent prior to receiving a valid Response.
  • The conversation continues until the authenticator cannot authenticate the peer (unacceptable Responses to one or more Requests), in which case the authenticator implementation MUST transmit an EAP Failure (Code 4). Alternatively, the authentication conversation can continue until the authenticator determines that successful authentication has occurred, in which case the authenticator MUST transmit an EAP Success (Code 3).
What is EAP SIM authentication?

EAP Subscriber Identity Module (EAP-SIM) is used for authentication and session key distribution using the Global System for Mobile Communications (GSM) subscriber identity module (SIM). EAP-SIM uses a SIM authentication algorithm between the client and an Authentication, Authorization and Accounting (AAA) server to enable mutual authentication between the client and the network.

What is EAP FAST?

Flexible Authentication via Secure Tunneling (EAP-FAST) is a protocol proposed by Cisco Systems as a replacement for it previously proposed Lightweight Extensible Authentication Protocol (LEAP). The protocol was designed to address the weaknesses of LEAP while preserving its “lightweight” implementation. EAP-FAST uses a pre-shared key called Protected Access Credential (PAC) to establish a TLS tunnel in which client credentials are verified.

What is EAP, LEAP and PEAP?

EAP is an authentication framework, not a specific authentication mechanism, frequently used in wireless networks and point-to-point connections. It provides some common functions and negotiation of authentication methods called EAP methods.

 

LEAP is a Lightweight Extensible Authentication Protocol (LEAP) method that was developed by Cisco Systems. LEAP uses a modified version of MS-CHAP, an authentication protocol in which user credentials are not strongly protected and easily compromised. An exploit tool called ASLEAP was released in early 2004 for LEAP. Cisco now recommends using EAP-FAST, PEAP, or EAP-TLS.

PEAP is a Protected Extensible Authentication Protocol (PEAP), also known as Protected EAP, is an authentication protocol that encapsulates EAP within an encrypted and authenticated Transport Layer Security (TLS) tunnel. It was developed and published to correct deficiencies in EAP (EAP assumed a protected communication channel, so facilities for protection of the EAP conversation were not originally provided).

PEAP was jointly developed by Cisco Systems, Microsoft, and RSA Security.