LLMpediaThe first transparent, open encyclopedia generated by LLMs

Extensible Authentication Protocol

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: WPA Hop 4
Expansion Funnel Raw 86 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted86
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Extensible Authentication Protocol
NameExtensible Authentication Protocol
AcronymEAP
DeveloperInternet Engineering Task Force
Initial release1998
Latest release2004
StatusActive
RelatedIEEE 802.1X, RADIUS, Diameter

Extensible Authentication Protocol is a framework for transporting authentication protocols used widely in network access control, wireless networks, and point-to-point connections. It provides a flexible container to negotiate authentication methods between peers, enabling integration with diverse systems such as 802.11 wireless LANs, Virtual Private Network services, and Point-to-Point Protocol links. EAP's modular design allows deployment alongside infrastructure components like RADIUS, Diameter, and IEEE 802.1X to support enterprise and carrier-grade authentication.

Overview

EAP defines a message format and state machine used by clients, authenticators, and authentication servers such as FreeRADIUS, Cisco Systems, Juniper Networks, Microsoft, and Red Hat. The framework separates the transport layer from the authentication mechanism, allowing methods like EAP-TLS, EAP-TTLS, PEAP, and EAP-SIM to operate over transports such as IEEE 802.11, PPP, 802.1X, and GPRS. Implementations often interoperate with backend identity stores including Active Directory, LDAP, and Kerberos for credential validation. The IETF published core specifications through working groups associated with RFC 3748 and later maintenance documents.

Protocol Architecture and Operation

EAP operates as a request-response protocol between an authenticator (e.g., Wireless Access Point vendors like Aruba Networks or Ruckus Wireless) and an authentication server (e.g., FreeRADIUS, Microsoft NPS). Typical deployments use an authenticator to relay EAP packets encapsulated in protocols such as RADIUS or Diameter to an authentication server, which may consult directories like OpenLDAP or identity providers like Okta and Azure Active Directory. The protocol supports methods requiring multiple round trips and cryptographic exchanges, enabling mutual authentication patterns seen in Public Key Infrastructure deployments managed with Entrust or DigiCert. EAP's state machine handles start, challenge, success, and failure states; supplicant implementations exist in wpa_supplicant, NetworkManager, Windows, and iOS.

Authentication Methods and EAP Types

Numerous EAP types have been standardized and deployed, each targeting specific credential classes and environments. Notable examples include certificate-based methods like EAP-TLS used by enterprises and government agencies, tunneled methods such as EAP-TTLS and PEAP popularized by vendors including Cisco Systems and Microsoft, SIM-/AKA-based methods like EAP-SIM, EAP-AKA and EAP-AKA’ used by mobile operators such as Vodafone and AT&T, and fast re-authentication methods like EAP-FAST developed by Cisco Systems. Other types include token-based solutions interoperating with RSA SecurID and smartcard integrations used by Department of Defense environments relying on Common Access Card infrastructures. Experimental and newer methods have been proposed in IETF documents and implemented by projects like hostapd.

Security Considerations and Vulnerabilities

Security analysis of EAP has focused on the strength of inner methods, tunnel integrity, credential confidentiality, and server-side protections. Weak inner methods such as MS-CHAPv2, historically used in PEAP deployments, have been targeted by offline attack tools and cryptanalysis researched at institutions like Carnegie Mellon University and Stanford University. Attacks on RADIUS proxies and misconfiguration of supplicants have been documented affecting deployments by vendors including Linksys and Netgear. Countermeasures involve deploying certificate-based methods like EAP-TLS, implementing certificate validation as prescribed in RFC 5281 and RFC 7170, using hardware security modules from vendors such as Thales for private key protection, and following operational guidance from organizations like NIST and ENISA. Newer threats consider side-channel vectors and quantum-resistant algorithm migration relevant to agencies such as NSA.

Implementation and Deployment

EAP is implemented across operating systems and networking products from Microsoft Windows, Apple macOS, Linux distributions (via wpa_supplicant and hostapd), and network equipment by Cisco Systems, Arista Networks, Huawei, and Hewlett Packard Enterprise. Deployments often integrate with AAA infrastructures using FreeRADIUS, Radiator, Cisco ISE, and Microsoft NPS and use certificate authorities like Let's Encrypt or enterprise PKI solutions from Entrust. In carrier environments, EAP methods are embedded in SIM provisioning and charging systems managed by GSMA-aligned vendors and used in roaming architectures overseen by organizations like 3GPP and ETSI. Best practices include proper certificate lifecycle management, deployment of multiple authentication methods for fallback, and logging for integration with SIEM platforms such as Splunk and IBM QRadar.

Standards and Interoperability

Core EAP specifications and method documents have been produced by the IETF in RFCs including foundational and informational texts. Interoperability testing occurs in industry consortia such as the Wi-Fi Alliance, which certifies WPA and WPA2 profiles relying on EAP, and operator groups like the GSMA for cellular EAP usage. Vendor interoperability matrices and testbeds from Metro Ethernet Forum and regional testing labs like ETSI Plugtests help validate cross-vendor behavior among equipment from Cisco Systems, Juniper Networks, Aruba Networks, and Ruckus Wireless. Standards evolution tracks work in IETF working groups and corroborating bodies including IEEE 802.11 and 3GPP.

History and Development

EAP originated from efforts in the late 1990s to standardize authentication in point-to-point and wireless contexts, with contributions from companies such as Cisco Systems, Lucent Technologies, and academic research at institutions like MIT and University of California, Berkeley. The IETF consolidated the framework in RFCs produced by working groups involving vendors and operators including Nokia, Ericsson, Motorola, and Microsoft. Subsequent years saw the proliferation of methods from vendors such as Cisco Systems and the integration into mobile standards guided by 3GPP and GSMA; security scrutiny and enhancements have been driven by research from Carnegie Mellon University, University of California, Davis, and industry labs at Bell Labs.

Category:Network protocols