EAP – Extensible Authentication Protocol
This is a layer 2 authentication protocol used within the 802.1X framework
Often referred to as 802.1x
Applicable to both wired and wireless although the standard was clarified to work with the latter in 2004.
802.1X defines two logical ports used to facilitate secure authentication – Controlled and Uncontrolled.
The Uncontrolled port is used for the EAP traffic outlined below.
The Controlled port will be used for all other traffic between the Supplicant and Authenticator once authentication has occurred.
I’ll go into more depth with the above process in another article. There are a couple of major things that really helped me understand EAP vs 802.1X and the differences but that’s for another time.
There are many different types of EAP with different levels of support across devices / vendors. Some are weaker and have been cracked whilst others are stronger and offer varying levels of authentication which suit different deployments.
EAP-MD5 (Message Digest 5)
Traditionally used in wired networks it was adopted for wireless use.
Easily cracked these days with a number of weaknesses including clear text usernames, weak hashes and no server-side validation
EAP-LEAP (Lightweight Extensible Authentication Protocol)
Designed by Cisco to address weaknesses with WEP
Touted as “Mutual Authentication” however this is not the same as your classic client/server-side validation – it is a ‘simple’ MS-CHAPv2 challenge/response
Also crackable and with username in clear text, weak hash
Originally Cisco proprietary, it is now a security standard.
Created in response to LEAP being cracked.
Does not use certificates to secure connections.
Instead uses PACs (explained in next post)
EAP-PEAP (Protected Extensible Authentication Protocol)
Likely the most used EAP protocol due to convenience. It is very secure but offers less client-side hassle than EAP-TLS which favours BYOD deployments
Creates an encrypted “outer” TLS Tunnel between supplicant and authentication server within which the EAP Authentication will take place
Key Point – This TLS tunnel is established with a server-side certificate
There are multiple types of EAP-PEAP.
The outer tunnel establishment method is always the same but the inner tunnel changes per EAP-PEAP type with each again offering their own strengths and weaknesses that favour different deployments.
EAP-PEAPv0 (MSCHAPv2) – Standard Username / Password combination
EAP-PEAPv0 (EAP-TLS) – Client-side certificate
EAP-PEAPv1 (EAP-GTC) – Generally used with security token devices like SecurID
EAP-TLS (Transport Layer Security)
Again developed by Cisco
Now standardised (RFC 5216)
Arguably the best EAP to use in terms of security
It isn’t very client-friendly for initial setup which can complicate BYOD deployments
Also increases overhead on the management side due to the back-end PKI/Certificate infrastructure required
Uses client-side as well as server-side certificates
There are many other types of EAP but these are the ones that are most common (or were) and are covered in the CCNP Wireless Track
Next up – PACs!