EAP

Extensible Authentication Protocol (EAP)

	Description	Inner Auth	Use Case
Light EAP	Password-based mutual authentication for WLANs	n/a	Cisco wireless environment
EPA-TLS	Mutual authentication based on certificates only	n/a	Eliminate username/password & PKI infrastructure
PEAP	Require a second auth method within a TLS tunnel established via SA certificate	EAP-MSCHAPv2, EAP-GTC, EAP-TLS	Lack of PKI infrastructure
EAP-FAST	Require a second auth method within a TLS tunnel established via a pre-shared key	EAP-MSCHAPv2, EAP-GTC, EAP-TLS	Cisco environment
EAP-TTLS	Allow legacy password-based methods happening securely within a TLS tunnel	PAP, CHAP, MS-CHAP	Backward compatible

➡️ EAP Transport Layer Security (EAP-TLS)

Require strong PKI infrastructure

    Supplicant                    Authenticator                   Authentication Server

              <------------- 1. Mutual certs provisioning ------->
              <------------- 2. Mutual certs validation/auth ---->

Note: Since AS and supplicant exchange certificates and use them to authenticate each other, so no further authentication happens in the TLS tunnel which is used to encrypt data transmission.

➡️ Protected EAP (PEAP)

    Supplicant                    Authenticator                   Authentication Server

              <------------- 1. Server cert validation -----------
              ============== 2. TLS tunnel establish =============
              =====<-------- 3. Further auth methods ------->=====
              =====<---- EAP-MSCHAPv2, EAP-GTC, EAP-TLS ---->=====

Notes: EAP-MSCHAPv2, EAP-GTC, EAP-TLS act as a 2nd authentication method within the outer TLS channel.

➡️ EAP Flexible Authentication via Secure Tunneling (EAP-FAST)

Faster re-authentication and wireless roaming

    Supplicant                    Authenticator                   Authentication Server

              <------------- 1. PAC provisioning -----------------
              ============== 2. TLS tunnel establish =============
              =====<-------- 3. Further auth methods ------->=====
              =====<---- EAP-MSCHAPv2, EAP-GTC, EAP-TLS ---->=====

PAC (Protected Access Credential) is a shared key generated by AS, and used to establish the encrypted TLS tunnel to facilitate subsequence authentication process.

➡️ EAP Tunneled Transport Layer Security (EAP-TTLS)

Compatible to legacy password-based protocols

    Supplicant                    Authenticator                   Authentication Server

              <------------- 1. Server cert validation -----------
              ============== 2. TLS tunnel establish =============
              =====<-------- 3. Further auth methods ------->=====
              =====<---------- PAP, CHAP, MS-CHAP ---------->=====

Notes: PAP, CHAP, MS-CHAP are inner authentication methods. They are not EAP-based.

EAP

Extensible Authentication Protocol (EAP)

➡️ EAP Transport Layer Security (EAP-TLS)

➡️ Protected EAP (PEAP)

➡️ EAP Flexible Authentication via Secure Tunneling (EAP-FAST)

➡️ EAP Tunneled Transport Layer Security (EAP-TTLS)

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!