askvity

What is EAP in Networking?

Published in Network Security 4 mins read

EAP in networking stands for Extensible Authentication Protocol, and it's a framework that provides a way to transport authentication information between a client (like a laptop connecting to Wi-Fi) and an authentication server (like a RADIUS server). Think of it as the messenger service that allows different authentication methods to be used without requiring changes to the network infrastructure.

Understanding EAP

EAP doesn't actually do the authentication itself. Instead, it provides a standardized format for different authentication methods, often referred to as EAP types, to be used. This allows for a flexible and adaptable authentication system.

How EAP Works

Here's a breakdown of how EAP generally functions within a wireless network context:

  1. Supplicant (Client): This is the device trying to gain network access (e.g., a laptop, smartphone). It initiates the authentication process.
  2. Authenticator (Access Point/Network Device): This device controls access to the network (e.g., a Wi-Fi access point, a network switch). It relays messages between the supplicant and the authentication server.
  3. Authentication Server (RADIUS Server): This is the server that verifies the supplicant's credentials. Common examples include RADIUS (Remote Authentication Dial-In User Service) servers.

The process unfolds as follows:

  1. The supplicant attempts to connect to the network.
  2. The authenticator requests authentication information.
  3. The supplicant and the authentication server (via the authenticator) negotiate an EAP type. This specifies the specific authentication method to be used (e.g., EAP-TLS, EAP-TTLS, PEAP).
  4. The supplicant provides authentication credentials based on the chosen EAP type. This might involve a username/password, a digital certificate, or other forms of authentication.
  5. The authentication server verifies the credentials.
  6. The authentication server informs the authenticator whether the authentication was successful.
  7. If successful, the authenticator grants the supplicant access to the network.

Common EAP Types

Several EAP types exist, each with its own security characteristics and implementation requirements. Some common types include:

  • EAP-TLS (Transport Layer Security): Uses digital certificates for mutual authentication (both the client and server authenticate each other). Considered very secure, but requires certificate management.
  • EAP-TTLS (Tunneled Transport Layer Security): Establishes an encrypted tunnel between the supplicant and the authentication server, then uses a simpler authentication method (like PAP, CHAP, or MS-CHAP) within the tunnel.
  • PEAP (Protected EAP): Similar to EAP-TTLS, it creates an encrypted tunnel. Often used with MS-CHAPv2 for password-based authentication.
  • EAP-FAST (Flexible Authentication via Secure Tunneling): Developed by Cisco, it uses a Protected Access Credential (PAC) for initial authentication, followed by a TLS tunnel for subsequent authentication.
  • LEAP (Lightweight Extensible Authentication Protocol): A proprietary EAP type developed by Cisco, now considered insecure and should be avoided.

Benefits of Using EAP

  • Flexibility: Supports various authentication methods through EAP types.
  • Security: Provides stronger authentication compared to older methods like WEP or WPA-TKIP.
  • Centralized Authentication: Enables centralized user management and access control through an authentication server.
  • Scalability: Handles a large number of users and devices on a network.

Example Scenario

Imagine a company with a Wi-Fi network. Employees connect to the network using their laptops. The company uses EAP-TLS for authentication.

  1. An employee opens their laptop and tries to connect to the company's Wi-Fi.
  2. The laptop (supplicant) communicates with the Wi-Fi access point (authenticator).
  3. The laptop and authentication server (RADIUS server) negotiate to use EAP-TLS.
  4. The laptop presents its digital certificate to the RADIUS server.
  5. The RADIUS server verifies the certificate.
  6. If the certificate is valid, the RADIUS server tells the access point to grant the laptop access to the network.

In conclusion, EAP provides a secure and flexible framework for authenticating devices to a network, offering a wide range of authentication options through different EAP types and enabling centralized user management.

Related Articles