(Extensible Authentication Protocol) A protocol that acts as a framework and transport for other authentication protocols. EAP uses its own start and end messages, but then carries any number of third-party messages between the client (supplicant) and access control node such as an access point in a wireless network.
EAP and LANs
EAP originated with the dial-up PPP protocol in order to support protocols beyond PAP and CHAP. For use on packet networks, EAP Over LAN (EAPOL) was created. EAPOL added new message types and allowed an Ethernet header to be prefixed onto EAP messages so they could be transmitted via Ethernet. Following are various EAP methods used mostly in wireless networks, but also in wired networks. See 802.1X, WPA and 802.11i.
EAP-TLS (EAP-Transport Layer Security)
Uses the handshake protocol in TLS, not its encryption method. Client and server authenticate each other using digital certificates. Client generates a pre-master secret key by encrypting a random number with the server's public key and sends it to the server. Both client and server use the pre-master to generate the same secret key.
EAP-TTLS (EAP-Tunneled TLS)
Like EAP-TLS above except only the server has a certificate to authenticate itself to the client first. As in EAP-TLS, a secure connection (the "tunnel") is established with secret keys, but that connection is used to continue the authentication process by authenticating the client and possibly the server again using any EAP method or legacy method such as PAP and CHAP.
PEAP (Protected EAP)
Similar to EAP-TTLS above except it does not support legacy methods. It only moves EAP frames. Windows XP natively supports PEAP.
LEAP (Light EAP, Cisco LEAP)
From Cisco, first implementation of EAP and 802.1X for wireless networks. Uses preshared keys and MS-CHAP protocol to authenticate client and server to each other. Server generates and sends session key to access point. Client computes session key independently based on data received in the CHAP challenge.
EAP-FAST
(EAP-Flexible Authentication via Secure Tunneling)
Enhancement to LEAP from Cisco that provides an encrypted tunnel to distribute preshared keys known as "Protected Access Credential" (PAC) keys. PAC keys may be continuously refreshed to prevent dictionary attacks. EAP-FAST is defined in Cisco's Cisco Compatible Extensions (see CCX).
EAP-SIM (GSM Cellphones)
For GSM phones that switch between cellular and Wi-Fi networks, depending on which is in range. The Subscriber Identity Module (SIM) smart card in the GSM phone (see GSM) contains the secret key used for challenge/response authentication and deriving session keys for encryption.
EAP and LANs
EAP originated with the dial-up PPP protocol in order to support protocols beyond PAP and CHAP. For use on packet networks, EAP Over LAN (EAPOL) was created. EAPOL added new message types and allowed an Ethernet header to be prefixed onto EAP messages so they could be transmitted via Ethernet. Following are various EAP methods used mostly in wireless networks, but also in wired networks. See 802.1X, WPA and 802.11i.
EAP-TLS (EAP-Transport Layer Security)
Uses the handshake protocol in TLS, not its encryption method. Client and server authenticate each other using digital certificates. Client generates a pre-master secret key by encrypting a random number with the server's public key and sends it to the server. Both client and server use the pre-master to generate the same secret key.
EAP-TTLS (EAP-Tunneled TLS)
Like EAP-TLS above except only the server has a certificate to authenticate itself to the client first. As in EAP-TLS, a secure connection (the "tunnel") is established with secret keys, but that connection is used to continue the authentication process by authenticating the client and possibly the server again using any EAP method or legacy method such as PAP and CHAP.
PEAP (Protected EAP)
Similar to EAP-TTLS above except it does not support legacy methods. It only moves EAP frames. Windows XP natively supports PEAP.
LEAP (Light EAP, Cisco LEAP)
From Cisco, first implementation of EAP and 802.1X for wireless networks. Uses preshared keys and MS-CHAP protocol to authenticate client and server to each other. Server generates and sends session key to access point. Client computes session key independently based on data received in the CHAP challenge.
EAP-FAST
(EAP-Flexible Authentication via Secure Tunneling)
Enhancement to LEAP from Cisco that provides an encrypted tunnel to distribute preshared keys known as "Protected Access Credential" (PAC) keys. PAC keys may be continuously refreshed to prevent dictionary attacks. EAP-FAST is defined in Cisco's Cisco Compatible Extensions (see CCX).
EAP-SIM (GSM Cellphones)
For GSM phones that switch between cellular and Wi-Fi networks, depending on which is in range. The Subscriber Identity Module (SIM) smart card in the GSM phone (see GSM) contains the secret key used for challenge/response authentication and deriving session keys for encryption.
 | Reproduced with permission from Computer Desktop Encyclopedia. Copyright (c) 1981-2009 The Computer Language Company Inc. All rights reserved. |
Additional Resources
- Radiator 4.5.1 (Mac)
- Radiator RADIUS server is flexible, extensible, and authenticates from a huge range of auth methods, including Wireless, TLS, TTLS, PEAP, LEAP, FAST, SQL, proxy, DBM, files, LDAP, NIS+, password, NT SAM, Emerald, Platypus, Freeside, TACACS+, PAM, external, OPIE, POP3, EAP, Active Directory and Apple Password Server. Interoperates with Vasco Digipass,...
- Software downloads 2009-11-16
- Health Plan Supports Growth, Controls Costs, and Reduces Complexities With Licensing Plan
- With recent growth, Molina Healthcare wanted to use its existing technology assets and apply them to key business processes in order to drive down administrative costs and simplify customer interactions. Molina chose a cost-effective licensing program, the Microsoft Enrollment for Application Platform EAP for Enterprise Agreements. Molina is controlling costs...
- Case studies 2009-10-23
- Evolynx Radius Server 5.0 (Windows)
- Evolynx Radius is a high performance RADIUS server for Microsoft .NET Framework (2000, XP, and 2003). It supports unlimited clients, realms, and customers. Some of the authentication protocols supported are PAP, CHAP, MS-CHAP1, MS-CHAP2, and EAP-MD5. Supports RADIUS proxy and conditional forwarding. A Web-based administration application helps managing customers and...
- Software downloads 2009-09-22
- Cloud Security Panel: Is cloud computing more or less secure than on-premises IT?
- I'm sure hackers will let you know.:)Sadly, so true..With the exception of possibly Howard, i think most the others at the EAP Conference are stuck on the proverbial "Cloud 9" about ... well ... the Cloud / SaaS.Honestly, this is the problem when you get all the "so called" experts...
- Discussion threads 2009-08-13
- Vulnerability Analysis of Extensible Authentication Protocol (EAP) DoS Attack Over Wireless Networks
- IEEE 802.11 supports 802.1x to provide strong authentication mechanism for Wireless networks. 802.1x utilizes Extensible Authentication Protocol EAP as a framework for authentication, allowing for a number of authentication methods to be used. Unfortunately, 802.1x includes some unprotected EAP packets during authentication process which can be easily exploited by an...
- White papers 2009-07-01
- The next e-book frontier? Braille
- It may just be a conceptual mockup, but man if Yanko Design's Braille E-book proposal doesn't send a chill up your leg: E-books are still very much in their collective infancy. Amazon's Kindle, effectively the iPhone of the e-book category, is only on its second...
- Blog posts 2009-04-20
- WebLogic Suite Vs. Open Source Application Servers: The True Picture
- In today's economic conditions, many IT organizations are looking for ways to reduce costs. One potential source of cost savings is the use of open-source technologies for non-mission-critical applications, which at first glance saves money by eliminating up-front software licensing costs. This paper looks in detail at how WebLogic Suite...
- White papers 2009-04-01
- Live coverage of Apple's iPhone 3.0 preview event
- Welcome to live coverage of Apple's iPhone 3.0 preview event. The event is over now but you can read about it here as it unfolded. [ See also: Apple announces copy and paste, MMS, Spotlight, more for iPhone ] 08:47am: While we're waiting, what...
- Blog posts 2009-03-17
- Hardware 2.0 WWDC "blogging the blogs" coverage
- Unfortunately a series of prior commitments meant that I couldn't make it to WWDC 08. Since I can't be there, I've decided to do the second best thing and cover WWDC from the angle of "blogging the blogs." So, here I am sitting in front of three...
- Blog posts 2008-06-09
- New tool cracks most enterprise wireless LANs
- If your company or organization runs an enterprise wireless LAN network, I have some troubling news for you. Odds are high that your current "enterprise-class" wireless LAN deployment is vulnerable to authentication leakage which not only exposes your internal network but all of your server access controls. ...
- Blog posts 2008-03-05
- Securing WLANs With Two-Factor Authentication
- While advances in wireless protocols have made major improvements in enabling WLAN security, two-factor authentication is crucial to protecting wireless networks from intrusion. Organizations can deploy wireless VPNs or can offer native WLAN access without the need to deploy and manage VPN client software, and they can implement two-factor authentication...
- White papers 2008-03-01
- Cisco confirms vulnerability in 7921 Wi-Fi IP phone
- Two days after news of the Vocera Wi-Fi VoIP communicator PEAP security bypass vulnerability, I received confirmation from Cisco that their model 7921 Wi-Fi VoIP phone is also vulnerable to the same issue where digital certificates aren't cryptographically verified. Both Cisco and Vocera have told me that they intend to...
- Blog posts 2008-02-23
- Design flaw in wireless VoIP handsets endanger the enterprise
- Update 2/23/2008 - Cisco confirms vulnerability in 7921 Wi-Fi IP phone Security conscious businesses and organizations who implemented 802.1x/EAP enterprise-grade authentication are at risk with certain implementations of wireless LAN VoIP handsets. I have verified that Vocera Communications is one of the vulnerable vendors and I have...
- Blog posts 2008-02-20
- Cisco to release Mac version of Unified Personal Communicator
- Cisco plans to release a fully native Mac version of its unified communications client at Macworld tomorrow, according to a blog post by Cisco's M. Michael Acosta. This is the same Cisco that had a brief argument with Apple over the rights to the iPhone name a year ago at...
- Blog posts 2008-01-14
- Wireless LAN Foundations
- View Available Dates and LocationsLearn how to design, secure, and support wireless networks through detailed course discussion and a broad range of hands-on configuration and testing exercises. Learn in-depth security principles and troubleshooting techniques. Gain a full understanding of how radio frequency affects networking so you can...
- Training 2008-01-01
- Step-by-Step Guide: Deploying SSTP Remote Access
- Secure Socket Tunneling Protocol SSTP is a new form of VPN tunnel with features that allow traffic to pass through firewalls that block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the SSL channel of the HTTPS protocol. The use of PPP allows support for...
- White papers 2007-12-01
- Red Hat delivers middleware stepping stone to larger platform distribution in fall
- Red Hat has cemented another large stone into the foundation of its Enterprise Application Platform EAP 5.0, expected later this year, with the announcement of middleware solution EAP 4.2.EAP 4.2, the company's most comprehensive enterprise platform, weaves JBoss, Hibernate, and JBoss Seam into a single (integrated, tested, and certified) platform...
- Blog posts 2007-07-12
- Why VPN can't replace Wi-Fi security
- Why VPN can't replace Wi-Fi securityYou mean people who say VPN is the only way to go?You mean people who say VPN is the only way to go? Ah they're extremely common. In fact they're probably the ones that voted this blog down.I was about to mention EAP-TLS,...
- Discussion threads 2007-05-12
- Why VPN can't replace Wi-Fi security
- Every time the subject of wireless LAN security comes up, people ask me about VPN as a solution for securing Wi-Fi (Wi-Fi is the common marketing name for 802.11 wireless LANs). Ive always told people that VPN security shouldnt be a substitute for good Wi-Fi security and I even...
- Blog posts 2007-05-12
- Retailers haven't learned from TJX - still running WEP
- When I blogged earlier this week about TJXs failure to secure their wireless LAN and how it may end up costing TJX a billion dollars, I knew that it was merely the tip of the iceberg with so many retailers still running WEP encryption. As if WEP wasnt already...
- Blog posts 2007-05-10
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- Reduce risk. Reduce complexity. Increase reliability.
-
A simplified IT environment isn't just less complex. It's also more reliable. Standardize on a single Linux platform with SUSE Linux Enterprise from Novell, and get the world's most interoperable Linux
- Learn more >>
- The best support in the Linux business
-
If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
- Learn more >>
- Keep Up With The Latest In Document Management with The DocuMentor.
-
Doc delivers the scoop on today's enterprise content management, printer maintenance, and all other issues related to document management. It's the DocuMentor Blog.
- Learn more >>
- The best support in the Linux business
-
If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
- Learn more >>
Popular Sanity Saver Videos
