Networking / Beginners

EAP Types

Different implementations of the EAP framework exist to address the issues of authentication and key exchange. Note that the EAP framework is concerned not only with securing wireless communications but also with wired communications. The following sections discuss some EAP implementations that are especially popular in the wireless world.

EAP-TLS

The EAP-Transport Layer Security (EAP-TLS) authentication protocol was developed by Microsoft. It uses the facilities provided in the traditional standalone TLS protocol.

EAP-TLS relies on the use of digital certificates to authenticate the parties that want to communicate with one another. It requires that the entities that want to use EAP for authentication and key management mutually authenticate each other. This means that the entities participating in the EAP-TLS conversation require their own digital certificates. In environments where digital certificates are not already widely in use, this requirement may add an extra burden for the wireless network administrator.

EAP-TLS Conversation A successful EAP-TLS conversation between EAP entities is outlined in the following steps. The entities are the peer (such as a wireless client STA), the authenticator (such as a WAP), and the EAP server/back-end authentication server (such as a RADIUS server).

  1. The parties that want to be authenticated-the peer and the authenticator- agree to do so via EAP.
  2. The authenticator asks the peer to identify itself via an EAP-Request message.
  3. The peer sends its identity to the authenticator via an EAP-Response message.
  4. From this point on, the EAP-TLS conversation appears to happen between the peer and the authenticator. But in reality, the authenticator component is acting as a go-between, by conveying the messages between the peer and the EAP server/back-end authentication server components.
  5. After receiving the peer's identity, the EAP server sends (via the authenticator) an EAP-Request message with the EAP-Type set to EAP-TLS. This message serves as a way of telling the peer that the EAP-TLS conversation is about to begin.
  6. The peer responds with an EAP-Response packet with the EAP-Type set to EAP-TLS. The packet will serve as a way for the peer to agree to start EAP-TLS via a client_hello message.
  7. The EAP server responds to the peer with an EAP-Request packet with the EAP-Type set to EAP-TLS. The packet contains information such as the server TLS certificate and the server_hello message. The server will also request the peer to send its own certificate.
  8. The peer responds with an EAP-Response packet with the EAP-Type set to EAP-TLS. The packet contains information such as the peer's TLS certificate and so on.
  9. The EAP server verifies the peer's certificate and digital signature. The peer does the same thing.
  10. If everything checks out from the server's perspective, the EAP server sends an EAP-Success packet.
  11. If the peer fails to authenticate itself successfully to the EAP server, the server sends an EAP-Failure message.
[Previous] [Contents] [Next]