EAP authentication framework

EAP - Extensible Authentication Protocol

EAP is an authentication framework, not a specific authentication mechanism. It is used in network and internet connections and defined in RFC 3748. It provides some common functions and negotiation of authentication methods called EAP methods. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.

EAP Tunneled Transport Layer Security is an EAP protocol that extends TLS. The client can, but does not have to be authenticated via a CA-signed PKI certificate to the server. This greatly simplifies the setup procedure since a certificate is not needed on every client.

Protected EAP (PEAP) adds a TLS layer on top of EAP in the same way as EAP-TLS, but it then uses the resulting TLS session as a carrier to protect other, legacy EAP methods.

Lightweight Extensible Authentication Protocol (LEAP) is a proprietary wireless LAN authentication method developed by Cisco Systems. Important features of LEAP are dynamic WEP keys and mutual authentication (between a wireless client and a RADIUS server). LEAP allows for clients to re-authenticate frequently; upon each successful authentication, the clients acquire a new WEP key. LEAP may be configured to use TKIP instead of dynamic WEP.

EAP-MD5 was the only IETF Standards Track based EAP method when it was first defined. It offers minimal security; the MD5 hash function is vulnerable to dictionary attacks, and does not support key generation, which makes it unsuitable for use with dynamic WEP, or WPA/WPA2 enterprise.

EAP Password (EAP-PWD), defined in RFC 5931, is a method which uses a shared password for authentication. The password may be a low-entropy one and may be drawn from some set of possible passwords, like a dictionary, which is available to an attacker. The underlying key exchange is resistant to active attack, passive attack, and dictionary attack.

EAP Protected One-Time Password (EAP-POTP), which is described in RFC 4793, is an EAP method developed by RSA Laboratories that uses one-time password (OTP) tokens, such as a handheld hardware device or a hardware or software module running on a personal computer, to generate authentication keys.

EAP-POTP can be used to provide unilateral or mutual authentication and key material in protocols that use EAP. The EAP-POTP method provides two-factor user authentication, meaning that a user needs both physical access to a token and knowledge of a personal identification number (PIN) to perform authentication.

Nimble out-of-band authentication for EAP (EAP-NOOB) is a generic bootstrapping solution for devices which have no pre-configured authentication credentials like IoT devices and which are not yet registered on any server. It is especially useful for gadgets and that come with no information about any owner, network or server. Authentication for this EAP method is based on a user-assisted out-of-band (OOB) channel between the server and peer.

EAP-NOOB supports many types of OOB channels such as QR codes, NFC tags, audio etc. and unlike other EAP methods, the protocol security has been verified by formal modeling of the specification.

EAP-NOOB performs an Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) over the in-band EAP channel. The user then confirms this exchange by transferring the OOB message. Users can transfer the OOB message from the peer to the server, when for example, the device is a smart TV that can show a QR code. Alternatively, users can transfer the OOB message from the server to the peer, when for example, the device being bootstrapped is a camera that can only read a QR code.

Server Authentication None Password hash Public Key (Certificate) Public Key (Certificate) Public Key (Certificate)
Supplicant Authentication Password hash Password hash Public Key (Certificate or Smart Card) CHAP, PAP, MS-CHAP(v2), EAP Any EAP, like EAP-MS-CHAPv2 or Public Key
Dynamic Key Delivery No Yes Yes Yes Yes