Around The Globe ATG.WORLD

Visit our sister website :

http://www.atg.world/

This is a social network for enthusiasts just like us. No Junk! Only meaningful conversations with the people who share the same enthusiasm as us.

Around The Globe ATG.WORLD

Visit our sister website :

http://www.atg.world/

This is a social network for enthusiasts just like us. No Junk! Only meaningful conversations with the people who share the same enthusiasm as us.

Tuesday, July 6, 2010

Extensible Authentication Protocol (EAP)

What is Extensible Authentication Protocol (EAP)?
The Extensible Authentication Protocol (EAP) is a general protocol for PPP and wireless authentication which supports multiple authentication mechanisms. Microsoft Windows uses EAP to authenticate Point-to-Point Protocol (PPP)-based connections (such as dial-up, virtual private network remote access, and site-to-site connections) and for IEEE 802.1X-based network access to authenticating Ethernet switches and wireless access points (APs).

EAP begins as the authenticator sends one or more Requests to authenticate the peer. The three devices involved in the 802.1x authentication are the client, an authentication server and Wireless Access Point (WAP). The user or client that wants to be authenticated is called a supplicant. The actual server doing the authentication, typically a RADIUS server, is called the authentication server. And the device in between, such as a wireless access point, is called the authenticator. The Request has a type field to indicate what is being requested. Examples of Request types include Identity, MD5-challenge, One-Time Passwords, Generic Token Card, etc. The peer sends a Response packet in reply to each Reques and the authenticator ends the authentication phase with a Success or Failure packet. This may look very simple but complexity resides in authenticating using the various methods such as EAP-PSK (Pre Shared Keys), EAP-MD5 (MD5 hashing), EAP-TLS(Transport Layer Security).

EAP AuthenticationEAP Methods for Different Types of Network Access
The following table lists the different types of access and the available EAP methods you can use in Microsoft Windows. Microsoft Windows has its own proprietary MS-CHAPv2 authentication also method which provides secure authentication between devices.

Type of Network Access

Available EAP Methods

Dial-up remote access or site-to-site connections

EAP-MD5 CHAP, EAP-TLS

Virtual private network remote access connections

EAP-MD5 CHAP, EAP-TLS, PEAP-MS-CHAP v2, PEAP-TLS

Virtual private network site-to-site connections

EAP-MD5 CHAP, EAP-TLS

802.1X authentication to an authenticating switch (wired)

EAP-MD5 CHAP, PEAP-MS-CHAP v2, EAP-TLS, PEAP-TLS

802.1X authentication to a wireless AP

PEAP-MS-CHAP v2, EAP-TLS, PEAP-TLS

802.1x

I was trying to dig deeper into the Wireless Security Standards - WEP & WPA, when I read about 802.1x and I was blown by its widespread use and the research work put behind the framing of the standard.

WEP had many security flaws such as static preshared keys, which could be easily cracked. So Cisco came out with its interim solution for Wi-Fi security in its devices which used dynamic key exchange, a new encrption key for each packet and authentication using IEEE 802.1x. Extensible Authentication Protocol (EAP) authentication is now used in WPA and WPA2 for 802.11.

IEEE 802.1x standard is simply a standard for passing EAP over a wired or wireless LAN. With 802.1x, you package EAP messages in Ethernet frames and don't use PPP. It's authentication and nothing more. That's desirable in situations in which the rest of PPP isn't needed, where you're using protocols other than TCP/IP, or where the overhead and complexity of using PPP is undesirable.

The three devices involved in the 802.1x authentication are the client, an authentication server and Wireless Access Point (WAP). The user or client that wants to be authenticated is called a supplicant. The actual server doing the authentication, typically a RADIUS server, is called the authentication server. And the device in between, such as a wireless access point, is called the authenticator. One of the key points of 802.1x is that the authenticator can be simple and dumb - all of the brains have to be in the supplicant and the authentication server. This makes 802.1x ideal for wireless access points, which are typically small and have little memory and processing power.