How exactly does Extensible Authentication Protocol (EAP)/Protected EAP integrat

Question

How exactly does Extensible Authentication Protocol (EAP)/Protected EAP integrate into modern security protocols?

What I know (or not know) so far...

It's used by wireless networks utilizing authentication methods based upon Point to Point Protocol (PPP). I have searched, but can't find an answer that makes sense to me. The name implies that it's a protocol, but from what I've read the articles call it an Authentication Framework. There are definitions of all the major security protocols/algorithms; e.g. MD5, SHA1, ISAKMP, TLS, etc.

I've tried looking at wireshark captures with EAP data traffic. CloudShark Example. But the descriptions of the data are less than helpful. Here is a description of the "protocol's" data flow. The picture is quite helpful, but what confuses me is the exchanges of "EAP Methods". Which seem almost analogous to SSL/TLS cipher suites.

Is EAP a way for wireless protocols to agree on algorithms, and each device provides their own implementation conforming to this framework?

In which case, why is there an EAP-TLS? This seems to put another added layer onto the wire for just performing TLS. Can someone fill in the gaps for me?

Explanation / Answer

Your understanding is already pretty good. As you say, there are a variety of EAP protocols: LEAP, PEAP, EAP-FAST, EAP-TLS, etc. Each one works differently, but they all do the same thing: authenticate a user before allowing them access to a wireless network. You could call EAP a protocol, or you could call it a framework of protocols, where each variant like EAP-FAST is a protocol. It doesn't make much difference, and I find that different documents are not always consistent with each other (or even internally!)

To answer your bolded question, basically it's yes. A client and access point will have certain EAPs enabled, and if they support the same one, the client can try to authenticate. Each EAP is a protocol, and will have different implementations. e.g. if your iPhone is logging in to your Cisco access point using EAP-TLS, then Apple EAP-TLS is talking to Cisco EAP-TLS - and because the protocol is standardised, they (should) communicate successfully.

Why is there an EAP-TLS? Remember, that the EAP occurs before the client is allowed access to the network. At that point they don't have an IP address, so it's not possible to use normal TLS. I think re-using TLS as a part of EAP is a very good idea - the security requirements are very similar for EAP as for HTTPS, so it makes sense to use a protocol that's mature (despite recent revelations!).

One challenge for EAP-TLS (and PEAP) is that the process of certificate issue and verification is less clear. Normally the network administrator needs to install the access point's certificate on all clients. If certificate verification is not done, then the clients are vulnerable to an Evil Twin attack

Related Questions

Navigate

• Browse (All)
• Browse H
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.