EAP - jibingl/CCNA-CCNP GitHub Wiki
Extensible Authentication Protocol (EAP)
| Description | Inner Auth | Use Case | |
|---|---|---|---|
| Light EAP | Password-based mutual authentication for WLANs | n/a | Cisco wireless environment |
| EPA-TLS | Mutual authentication based on certificates only | n/a | Eliminate username/password & PKI infrastructure |
| PEAP | Require a second auth method within a TLS tunnel established via SA certificate | EAP-MSCHAPv2, EAP-GTC, EAP-TLS | Lack of PKI infrastructure |
| EAP-FAST | Require a second auth method within a TLS tunnel established via a pre-shared key | EAP-MSCHAPv2, EAP-GTC, EAP-TLS | Cisco environment |
| EAP-TTLS | Allow legacy password-based methods happening securely within a TLS tunnel | PAP, CHAP, MS-CHAP | Backward compatible |
➡️ EAP Transport Layer Security (EAP-TLS)
- Require strong PKI infrastructure
Supplicant Authenticator Authentication Server
<------------- 1. Mutual certs provisioning ------->
<------------- 2. Mutual certs validation/auth ---->
Note: Since AS and supplicant exchange certificates and use them to authenticate each other, so no further authentication happens in the TLS tunnel which is used to encrypt data transmission.
➡️ Protected EAP (PEAP)
Supplicant Authenticator Authentication Server
<------------- 1. Server cert validation -----------
============== 2. TLS tunnel establish =============
=====<-------- 3. Further auth methods ------->=====
=====<---- EAP-MSCHAPv2, EAP-GTC, EAP-TLS ---->=====
Notes: EAP-MSCHAPv2, EAP-GTC, EAP-TLS act as a 2nd authentication method within the outer TLS channel.
➡️ EAP Flexible Authentication via Secure Tunneling (EAP-FAST)
- Faster re-authentication and wireless roaming
Supplicant Authenticator Authentication Server
<------------- 1. PAC provisioning -----------------
============== 2. TLS tunnel establish =============
=====<-------- 3. Further auth methods ------->=====
=====<---- EAP-MSCHAPv2, EAP-GTC, EAP-TLS ---->=====
PAC (Protected Access Credential) is a shared key generated by AS, and used to establish the encrypted TLS tunnel to facilitate subsequence authentication process.
➡️ EAP Tunneled Transport Layer Security (EAP-TTLS)
- Compatible to legacy password-based protocols
Supplicant Authenticator Authentication Server
<------------- 1. Server cert validation -----------
============== 2. TLS tunnel establish =============
=====<-------- 3. Further auth methods ------->=====
=====<---------- PAP, CHAP, MS-CHAP ---------->=====
Notes: PAP, CHAP, MS-CHAP are inner authentication methods. They are not EAP-based.