Extensible Authentication Protocol

The Extensible Authentication Protocol (EAP) is one of the Internet Engineering Task Force ( IETF) developed, general authentication protocol that supports various authentication methods such as username / password ( RADIUS), digital certificate, SIM card. EAP is often used for access control in wireless LANs.

EAP was developed to provide a generic support for authentication, that is, the dial-up, to a foreign network, without the need to take care with any new authentication to the infrastructure and upgrade them. EAP is widely used today and is supported by different transport protocols, such as Point-to- Point Protocol (PPP ), Remote Authentication Dial- In User Service ( RADIUS) and Diameter. The IEEE 802.1X standard proposes, inter alia, EAP as the authentication method before. Similarly, 3GPP has adopted the EAP standard for combining the GSM with IP technology. EAP could also become the preferred authentication method in the WiMAX authentication in future.

Benefits

It can be used ( in order) multiple authentication mechanisms that do not need to be negotiated already in the call set-up phase.

Authentication method

In the negotiation of the EAP authentication mechanism specifically used occurs only during the authentication phase, which allows the use of an authentication server. A so-called supplicant ( petitioner ) is a user or client that wants to log on to a site authentication for authentication, such as a mobile node when connecting to a network. A so-called authenticator is doing the authentication messages from the supplicant to the authentication server. Here, several mechanisms can be used in a row. The control over, the authenticator, which was determined using a request method. The choices are, for example, identity query for dial-in connections, MD5 - Challenge ( CHAP), One-Time- Passwords, Generic Token Cards etc. After authentication incentive ( Request) from the authenticator to the supplicant, it responds with a Response, the data field contains the respective authentication ( identity (ID), password, hash value, IMSI, etc.). Then, the authenticator may request further information via challenge-response process. Is completed the authentication with a Success-/Failure-Response the authenticator.

Identity

Identification may be by the user, that is, by entering a user ID. In the Request packet may also be sent a prompt text that is displayed to the user before entering the ID.

Notification

In the data part of the packet, a message is conveyed to the user that is displayed therein. For example, authentication failure, password expiration time, ...

NAK

(NAK = No Acknowledgement / Negative Acknowledgement ). This type should only appear in a response message. It is to indicate that the peer does not support the desired authentication method.

MD5 - Challenge

This corresponds to CHAP with MD5 as the hash algorithm. In the request message, a random value is transmitted. The response packet contains the hash value for that random value and a password known only to the two parties (see also Challenge-Response authentication).

One- Time Password

The request message contains an OTP challenge. In response packet is the particular one-time password.

TLS

To avoid a complicated design of cryptographic protocols, where the authentication dialog TLS is used.

Widely used is the EAP -TLS method, which can be used with all standard 802.11i WLAN components. Here, the Authenticator checks ( access point / router) the potential of network participants ( Notebook ) transmitted authentication information on an authentication server ( RADIUS).

SIM / AKA

The EAP for GSM Subscriber Identity Module or for UMTS Authentication and Key Agreement (RFC 4186, RFC 4187 ) is another authentication method of Extensible Authentication Protocols, which uses the GSM / UMTS SIM card to authenticate. Through this method to dial in to an encrypted WLAN automatically, since the client (usually a mobile phone) dials in Triple -A system through its SIM authentication algorithm and thus obviates the entry of a default wireless password.

Other methods

There are about 40 EAP method, among which are:

  • According to RFC: EAP -MD5, EAP- OTP, EAP -GTC, EAP -TLS
  • Manufacturer Specific: EAP -TLS, EAP- SIM, EAP- AKA, PEAP, LEAP, EAP- TTLS, EAP- IKEv2

Norms and Standards

  • RFC 3748 - Extensible Authentication Protocol (EAP)
  • RFC 2284 - PPP Extensible Authentication Protocol (EAP)
  • RFC 1938 - A One - Time Password System
  • RFC 4186 - Extensible Authentication Protocol Method for Global System for Mobile Communications ( GSM) Subscriber Identity Modules ( EAP- SIM)
Point-to-Point Protocol Diameter (protocol) Institute of Electrical and Electronics Engineers Wpa supplicant Challenge Handshake Authentication Protocol Challenge–response authentication Lightweight Extensible Authentication Protocol Integrated Authority File
251451
de