What does EAP Stand for? You have asked yourself many times what does EAP stand for. Find everything you need to know about the EAP.
EAP – Extensible Authentication Protocol is based on the IEEE 802.1x standard. Three nodes are involved in the EAP security authentication:
- Wireless client
- Access Point
- RADIUS server.
The EAP Authentication Procedure
Wireless client is usually called Supplicant in EAP. Access point in the EAP has name Authenticator and RADIUS server is called an Authentication Server.
The authentication process has the following steps:
- When there is a new client in WiFi network, access point – or broadband wireless router opens a port for the client. The port is, at first, in the unauthenticated state. This means that access point allows only EAP traffic for the new client. Client in the unauthenticated state doesn’t have Internet and it doesn’t have any other resources from the local network.
- The access point sends an EAP request to the Wireless client, and WLAN client sends him back EAP response.
- Access point forwards this EAP request to the RADIUS server. This means that access point doesn’t decide shall it allow access for new WLAN clients. This decision is made in the RADIUS server. The RADIUS server has the list of users and their credentials. The usual credentials are username and password or digital certificate. If the credentials for that particular wireless client are correct, access point allows normal traffic for that wireless client.
- In this state WLAN client has normal access to the network and internet.
Different Versions of the EAP Protocol
Now when you know what does EAP stand for, let’s see all the different version of the EAP security protocol:
LEAP is Lightweight Extensible Authentication Protocol. Cisco has developed LEAP with the intention to improve the WEP – Wired Equivalent Privacy. The LEAP authentication uses a modified version of the MS-CHAP protocol.
EAP-TLS is Transport Layer Security EAP. Many different vendors support EAP-TLS. Authentication is based on PKI – Public Key Infrastructure. If you want to have the best security level with the EAP-TLS, you need to use the smart cards on client side.
EAP-MD5 offers minimal security and has many security weaknesses. The biggest security issues for EAP-MD5 are
- dictionary attacks
- man in the middle attacks.
EAP-PSK – Pre-Shared Key is a lightweight EAP method. You don’t need to use the public-key cryptography. PSK uses Pre-shared key authentication.
EAP-TTLS – Tunneled Transport Layer Security is the extension of the TLS. It offers very good security without the clients that have installed certificates.
Cisco has designed EAP-FAST – Flexible Authentication via Secure Tunneling as a solution for the LEAP weaknesses. It uses the PAC – Protected Access Credentials file. Each user needs to have installed PAC certificate to be able to authenticate to the network.
EAP-IKEv2 – Internet Key Exchange is based on IKEv2 or Internet Key Exchange protocol version 2. It provides the session key establishment and mutual authentication between client and client.
EAP-EKE – Encryption Key Exchange provides authentication with the use of the short passwords.
Cisco has developed EAP-GTC – Generic Token Card as an alternative for PEAPv0/EAP-MSCHAPc2.
Mobile operators use EAP-SIM – Subscriber Identity Module. It uses 128 bit challenges.
EAP-AKA is Authentication and Key Agreement. The EAP-AKA can be used for:
What does EAP Stand for – the Final Notes
After reading this article, you know what does EAP stand for, and you know its different versions. The RADIUS server is the crucial node in the EAP authentication procedure. If you are already using Microsoft Server, the best option is a Microsoft RADIUS server.