EAP is an authentication framework, not a specific authentication mechanism. It provides some common functions and negotiation of authentication methods called EAP methods. There are currently about 40 different methods defined. Methods defined in
IETF RFCs include EAP-MD5, EAP-POTP, EAP-GTC, EAP-TLS, EAP-IKEv2, EAP-SIM, EAP-AKA, and EAP-AKA'. Additionally, a number of vendor-specific methods and new proposals exist. Commonly used modern methods capable of operating in wireless networks include EAP-TLS, EAP-SIM, EAP-AKA,
LEAP and EAP-TTLS. Requirements for EAP methods used in
wireless LAN authentication are described in . The list of type and packets codes used in EAP is available from the IANA EAP Registry. The standard also describes the conditions under which the AAA key management requirements described in can be satisfied.
Lightweight Extensible Authentication Protocol (LEAP) The
Lightweight Extensible Authentication Protocol (LEAP) method was developed by
Cisco Systems prior to the
IEEE ratification of the
802.11i security standard. Cisco distributed the protocol through the CCX (Cisco Certified Extensions) as part of getting 802.1X and dynamic
WEP adoption into the industry in the absence of a standard. There is no native support for LEAP in any
Windows operating system, but it is widely supported by third-party client software most commonly included with WLAN (wireless LAN) devices.
LEAP support for Microsoft Windows 7 and Microsoft Windows Vista can be added by downloading a client add in from Cisco that provides support for both LEAP and EAP-FAST. Due to the wide adoption of LEAP in the networking industry many other WLAN vendors claim support for LEAP. LEAP uses a modified version of
MS-CHAP, an
authentication protocol in which user credentials are not strongly protected and easily compromised; an exploit tool called ASLEAP was released in early 2004 by Joshua Wright. Cisco recommends that customers who absolutely must use LEAP do so only with sufficiently complex passwords, though complex passwords are difficult to administer and enforce. Cisco's current recommendation is to use newer and stronger EAP protocols such as EAP-FAST,
PEAP, or EAP-TLS.
EAP Transport Layer Security (EAP-TLS) EAP Transport Layer Security (EAP-TLS), defined in , is an IETF
open standard that uses the
Transport Layer Security (TLS) protocol, and is well-supported among wireless vendors. EAP-TLS is the original, standard wireless LAN EAP authentication protocol. EAP-TLS is still considered one of the most secure EAP standards available, although TLS provides strong security only as long as the user understands potential warnings about false credentials, and is universally supported by all manufacturers of wireless LAN hardware and software. Until April 2005, EAP-TLS was the only EAP type vendors needed to certify for a WPA or WPA2 logo. There are client and server implementations of EAP-TLS in 3Com, Apple,
Avaya, Brocade Communications, Cisco, Enterasys Networks, Fortinet, Foundry, Hirschmann, HP, Juniper, Microsoft, and open source operating systems. EAP-TLS is natively supported in Mac OS X 10.3 and above,
wpa_supplicant, Windows 2000 SP4, Windows XP and above, Windows Mobile 2003 and above,
Windows CE 4.2, and Apple's iOS mobile operating system. Unlike most TLS implementations of
HTTPS, such as on the
World Wide Web, the majority of implementations of EAP-TLS require mutual authentication using client-side
X.509 certificates without giving the option to disable the requirement, even though the standard does not mandate their use. On 22 August 2012
hostapd (and wpa_supplicant) added support in its
Git repository for an UNAUTH-TLS vendor-specific EAP type (using the hostapd/wpa_supplicant project Private Enterprise Number), and on 25 February 2014 added support for the WFA-UNAUTH-TLS vendor-specific EAP type (using the
Wi-Fi Alliance Private Enterprise Number), which only do server authentication. This would allow for situations much like HTTPS, where a wireless hotspot allows free access and does not authenticate station clients but station clients wish to use encryption (
IEEE 802.11i-2004 i.e.
WPA2) and potentially authenticate the wireless hotspot. There have also been proposals to use
IEEE 802.11u for access points to signal that they allow EAP-TLS using only server-side authentication, using the standard EAP-TLS IETF type instead of a vendor-specific EAP type. The requirement for a client-side certificate, however unpopular it may be, is what gives EAP-TLS its authentication strength and illustrates the classic convenience vs. security trade-off. With a client-side certificate, a compromised password is not enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side certificate; indeed, a password is not even needed, as it is only used to encrypt the client-side certificate for storage. The highest security available is when the "private keys" of client-side certificate are housed in
smart cards. This is because there is no way to steal a client-side certificate's corresponding private key from a smart card without stealing the card itself. It is more likely that the physical theft of a smart card would be noticed (and the smart card immediately revoked) than a (typical) password theft would be noticed. In addition, the private key on a smart card is typically encrypted using a PIN that only the owner of the smart card knows, minimizing its utility for a thief even before the card has been reported stolen and revoked.
EAP-MD5 EAP-MD5 was the only IETF Standards Track based EAP method when it was first defined in the original RFC for EAP, . It offers minimal security; the
MD5 hash function is vulnerable to
dictionary attacks, and does not support key generation, which makes it unsuitable for use with dynamic WEP, or WPA/WPA2 enterprise. EAP-MD5 differs from other EAP methods in that it only provides authentication of the EAP peer to the EAP server but not mutual authentication. By not providing EAP server authentication, this EAP method is vulnerable to man-in-the-middle attacks. EAP-MD5 support was first included in
Windows 2000 and deprecated in
Windows Vista.
EAP Protected One-Time Password (EAP-POTP) EAP Protected One-Time Password (EAP-POTP), which is described in , is an EAP method developed by RSA Laboratories that uses one-time password (OTP) tokens, such as a handheld hardware device or a hardware or software module running on a personal computer, to generate authentication keys. EAP-POTP can be used to provide unilateral or mutual authentication and key material in protocols that use EAP. The EAP-POTP method provides two-factor user authentication, meaning that a user needs both physical access to a token and knowledge of a
personal identification number (PIN) to perform authentication.
EAP Pre-Shared Key (EAP-PSK) and Radiator RADIUS servers, and it is in hostapd and wpa_supplicant.
EAP Tunneled Transport Layer Security (EAP-TTLS) EAP Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends
TLS. It was co-developed by
Funk Software and
Certicom and is widely supported across platforms. Microsoft did not incorporate native support for the EAP-TTLS protocol in
Windows XP,
Vista, or
7. Supporting TTLS on these platforms requires third-party Encryption Control Protocol (ECP) certified software.
Microsoft Windows started EAP-TTLS support with
Windows 8, support for EAP-TTLS appeared in Windows Phone
version 8.1. The client can, but does not have to be authenticated via a
CA-signed
PKI certificate to the server. This greatly simplifies the setup procedure since a certificate is not needed on every client. After the server is securely authenticated to the client via its CA certificate and optionally the client to the server, the server can then use the established secure connection ("tunnel") to authenticate the client. It can use an existing and widely deployed authentication protocol and infrastructure, incorporating legacy password mechanisms and authentication databases, while the secure tunnel provides protection from
eavesdropping and
man-in-the-middle attack. Note that the user's name is never transmitted in unencrypted clear text, improving privacy. Two distinct versions of EAP-TTLS exist: original EAP-TTLS (a.k.a. EAP-TTLSv0) and EAP-TTLSv1. EAP-TTLSv0 is described in , EAP-TTLSv1 is available as an Internet draft.
EAP Internet Key Exchange v. 2 (EAP-IKEv2) EAP Internet Key Exchange v. 2 (EAP-IKEv2) is an EAP method based on the
Internet Key Exchange protocol version 2 (IKEv2). It provides mutual authentication and session key establishment between an EAP peer and an EAP server. It supports authentication techniques that are based on the following types of credentials: ;Asymmetric key pairs: Public/private key pairs where the public key is embedded into a
digital certificate, and the corresponding
private key is known only to a single party. ;Passwords: Low-
entropy bit strings that are known to both the server and the peer. ;Symmetric keys: High-entropy bit strings that are known to both the server and the peer. It is possible to use a different authentication
credential (and thereby technique) in each direction. For example, the EAP server authenticates itself using public/private key pair and the EAP peer using symmetric key. However, not all of the nine theoretical combinations are expected in practice. Specifically, the standard lists four use cases: The server authenticating with an asymmetric key pair while the client uses any of the three methods; and that both sides use a symmetric key. EAP-IKEv2 is described in , and a prototype implementation exists.
EAP Flexible Authentication via Secure Tunneling (EAP-FAST) Flexible Authentication via Secure Tunneling (EAP-FAST; ) is a protocol proposal by
Cisco Systems as a replacement for
LEAP. The protocol was designed to address the weaknesses of LEAP while preserving the "lightweight" implementation. Use of server certificates is optional in EAP-FAST. EAP-FAST uses a Protected Access Credential (PAC) to establish a TLS tunnel in which client credentials are verified. EAP-FAST has three phases: When automatic PAC provisioning is enabled, EAP-FAST has a vulnerability where an attacker can intercept the PAC and use that to compromise user credentials. This vulnerability is mitigated by manual PAC provisioning or by using server certificates for the PAC provisioning phase. It is worth noting that the PAC file is issued on a per-user basis. This is a requirement in sec 7.4.4 so if a new user logs on the network from a device, a new PAC file must be provisioned first. This is one reason why it is difficult not to run EAP-FAST in insecure anonymous provisioning mode. The alternative is to use device passwords instead, but then the device is validated on the network not the user. EAP-FAST can be used without PAC files, falling back to normal TLS. EAP-FAST is natively supported in Apple OS X 10.4.8 and newer.
Cisco supplies an EAP-FAST module for
Windows Vista and later operating systems which have an extensible EAPHost architecture for new authentication methods and supplicants.
Tunnel Extensible Authentication Protocol (TEAP) Tunnel Extensible Authentication Protocol (TEAP; ) is a tunnel-based EAP method that enables secure communication between a peer and a server by using the Transport Layer Security (TLS) protocol to establish a mutually authenticated tunnel. Within the tunnel, TLV (Type-Length-Value) objects are used to convey authentication-related data between the EAP peer and the EAP server. In addition to peer authentication, TEAP allows the peer to ask the server for a certificate by sending a request in
PKCS#10 format. After receiving the certificate request and authenticating the peer, the server can provision a certificate to the peer in PKCS#7 format (). The server can also distribute trusted root certificates to the peer in PKCS#7 format (). Both operations are enclosed into the corresponding TLVs and happen securely within the already established TLS tunnel.
EAP Subscriber Identity Module (EAP-SIM) EAP
Subscriber Identity Module (EAP-SIM) is used for authentication and session key distribution using the subscriber identity module (SIM) from the Global System for Mobile Communications (
GSM). GSM cellular networks use a subscriber identity module card to carry out user authentication. EAP-SIM uses a SIM authentication algorithm between the client and an
Authentication, Authorization and Accounting (AAA) server providing mutual authentication between the client and the network. In EAP-SIM the communication between the SIM card and the Authentication Centre (AuC) replaces the need for a pre-established password between the client and the AAA server. The A3/A8 algorithms are being run a few times, with different 128 bit challenges, so there will be more 64 bit Kc-s which will be combined/mixed to create stronger keys (Kc-s won't be used directly). The lack of mutual authentication in GSM has also been overcome. EAP-SIM is described in .
EAP Authentication and Key Agreement (EAP-AKA) Extensible Authentication Protocol Method for
Universal Mobile Telecommunications System (UMTS) Authentication and Key Agreement (EAP-AKA), is an EAP mechanism for authentication and session key distribution using the UMTS Subscriber Identity Module (
USIM). EAP-AKA is defined in . ===EAP Authentication and Key Agreement
prime (EAP-AKA')=== The EAP-AKA' variant of EAP-AKA, defined in , and is used for non-3GPP access to a
3GPP core network. For example, via
EVDO,
WiFi, or
WiMax.
EAP Generic Token Card (EAP-GTC) EAP Generic Token Card, or EAP-GTC, is an EAP method created by Cisco as an alternative to PEAPv0/EAP-MSCHAPv2 and defined in and . EAP-GTC carries a text challenge from the authentication server, and a reply generated by a
security token. The PEAP-GTC authentication mechanism allows generic authentication to a number of databases such as
Novell Directory Service (NDS) and
Lightweight Directory Access Protocol (LDAP), as well as the use of a
one-time password.
EAP Encrypted Key Exchange (EAP-EKE) EAP with the
encrypted key exchange, or EAP-EKE, is one of the few EAP methods that provide secure mutual authentication using short passwords and no need for
public key certificates. It is a three-round exchange, based on the
Diffie-Hellman variant of the well-known EKE protocol. EAP-EKE is specified in .
Nimble out-of-band authentication for EAP (EAP-NOOB) Nimble out-of-band authentication for EAP (EAP-NOOB) is a generic bootstrapping solution for devices which have no pre-configured authentication credentials and which are not yet registered on any server. It is especially useful for Internet-of-Things (IoT) gadgets and toys that come with no information about any owner, network or server. Authentication for this EAP method is based on a user-assisted out-of-band (OOB) channel between the server and peer. EAP-NOOB supports many types of OOB channels such as QR codes, NFC tags, audio etc. and unlike other EAP methods, the protocol security has been verified by formal modeling of the specification with
ProVerif and
MCRL2 tools. EAP-NOOB performs an Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) over the in-band EAP channel. The user then confirms this exchange by transferring the OOB message. Users can transfer the OOB message from the peer to the server, when for example, the device is a smart TV that can show a QR code. Alternatively, users can transfer the OOB message from the server to the peer, when for example, the device being bootstrapped is a camera that can only read a QR code. ==Encapsulation==