Extensible Authentication Protocol
The Extensible Authentication Protocol is an IETF standard described in RFC-3748. It provides an infrastructure for network access clients and authentication servers, upon which multiple authentication schemes rest.
- EAP typically runs directly over data link layers such as PPP or IEEE 802, without requiring IP.
- EAP provides its own support for duplicate elimination and retransmission, but is reliant on lower layer ordering guarantees.
- EAP itself does not support fragmentation, but individual EAP methods may support it.
The best advantage of EAP architecture is it's flexibility. It does not mandate the authenticator to be updated in order to support new authentication methods; instead, it allows for the use of a backend authentication server, which may support any or all authentication methods.
- EAP was designed for use in network access authentication, where IP layer connectivity may not be available.
- Use of EAP for other purposes, such as bulk data transport, is NOT RECOMMENDED.
- EAP is a lock-step protocol which only supports a single packet in flight.
- EAP authentication is initiated by the server (authenticator), whereas most authentication protocols are initiated by the client (peer).
An EAP infrastructure contains the following:
EAP Peer:
A device or a user, attempting access to the protected network.
EAP Authenticator:
An Access Point (AP) or a Network Access Server (NAS), which initiates EAP Authentication, before granting access to a network.
Backend Authentication Server:
Typically a RADIUS server, it provides authentication services, such as negotiating a specific EAP method with an EAP peer, validating a peer's credentials and authorizing access to the network.
EAP Server:
An entity that terminates the EAP authentication method with an EAP peer.
In the case where no Backend Authentication Server is used, the EAP Server is part of the EAP Authenticator. In the case where the Authenticator operates in pass-through mode, the EAP Server is located on the Backend Authentication Server.
The Backend Authentication Server and the EAP Server possess the final knowledge about who should have access to what and when.
In different setups, the functionality is provided by the same components under different terminologies:
Component | Wireless world | IEEE-802.1X world |
Peer | Wireless STA | Supplicant |
Authenticator | Wireless Access Point (WAP) | Network Access Server (NAS) |
EAP Server + BA server | Radius Access Server | Radius Access Server |
