|EAP, Extensible Authentication Protocol|
|Protocol type:||PPP link control protocol.|
eap, Extensible Authentication Protocol.|
emu, EAP Method Update.
hokey, Handover Keying.
pppext, Point-to-Point Protocol Extensions.
IANA: EAP numbers.|
IANA: PPP Assigned numbers.
An authentication protocol which supports multiple authentication mechanisms. EAP typically runs directly over the link layer without requiring IP and therefore includes its own support for in-order delivery and retransmission. While EAP was originally developed for use with PPP, it is also in use with IEEE 802.11.
EAP is a lock step protocol which only supports a single packet in flight. As a result, EAP cannot efficiently transport bulk data.
RFC 2284, pages 2 and 3:
By default, authentication is not mandatory. If authentication of the link is desired, an implementation MUST specify the Authentication-Protocol Configuration Option during Link Establishment phase.
These authentication protocols are intended for use primarily by hosts and routers that connect to a PPP network server via switched circuits or dial-up lines, but might be applied to dedicated links as well. The server can use the identification of the connecting host or router in the selection of options for network layer negotiations.
EAP is a general protocol for PPP authentication which supports multiple authentication mechanisms. EAP does not select a specific authentication mechanism at Link Control Phase, but rather postpones this until the Authentication Phase. This allows the authenticator to request more information before determining the specific authentication mechanism. This also permits the use of a "back-end" server which actually implements the various mechanisms while the PPP authenticator merely passes through the authentication exchange.
|PPP header||EAP header||Data :::|
Specifies the function to be performed.
Used to match EAP requests and replies.
Size of the EAP packet including the EAP header and data fields.
Zero or more bytes of data as indicated by the Length field.
Type. 8 bits.
|3||Nak (Response only).||RFC 3748|
|5||OTP, One Time Password.||RFC 2289, RFC 3748|
|6||GTC, Generic Token Card.||RFC 3748|
|9||RSA Public Key Authentication.|
|13||EAP-TLS, EAP TLS Authentication Protocol.||RFC 2716, RFC 5216|
|14||Defender Token (AXENT).|
|15||RSA Security SecurID EAP.|
|16||Arcot Systems EAP.|
|18||EAP-SIM, GSM Subscriber Identity Modules.||RFC 4186|
|19||SRP-SHA1 Part 1.|
|21||EAP-TTLS, EAP Tunneled TLS Authentication Protocol.||RFC 5281|
|22||Remote Access Service|
|23||EAP-AKA, EAP method for 3rd Generation Authentication and Key Agreement.||RFC 4187|
|25||PEAP, Protected EAP.|
|27||MAKE, Mutual Authentication w/Key Exchange.|
|32||EAP-POTP, Protected One-Time Password.||RFC 4793|
|36||Cogent Systems Biometrics Authentication EAP.|
|43||EAP-FAST, EAP Flexible Authentication via Secure Tunneling.||RFC 4851|
|44||ZLXEAP, ZoneLabs EAP.|
|46||EAP-PAX, EAP Password Authenticated eXchange.|
|47||EAP-PSK, EAP Pre-Shared Key Extensible Authentication.||RFC 4764|
|48||EAP-SAKE, EAP Shared-secret Authentication and Key Establishment.||RFC 4763|
|50||EAP-AKA', Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement.||RFC 5448|
|53||EAP-EKE version 1||RFC 6124|
|Available via review by designated expert.||RFC 3748|
|Reserved for allocation via standards sction.||RFC 3748|
|254||Expanded Type.||RFC 3748|
The host requiring the authentication. The authenticator specifies the authentication protocol to be used in the Configure-Request during the Link Establishment phase.
backend authentication server.
An entity that provides an authentication service to an authenticator. When used, this server typically executes EAP methods for the authenticator.
The entity that terminates the EAP authentication method with the peer. In the case where no backend authentication server is used, the EAP server is part of the authenticator. In the case where the authenticator operates in pass-through mode, the EAP server is located on the backend authentication server.
EMSK, Extended Master Session Key.
Additional keying material derived between the EAP client and server that is exported by the EAP method. The EMSK must be at least 64 bytes in length. The EMSK is not shared with the authenticator or any other third party. The EMSK is reserved for future uses that are not defined yet.
MIC, Message Integrity Check.
A keyed hash function used for authentication and integrity protection of data.
MSK, Master Session Key.
Keying material that is derived between the EAP peer and server and exported by the EAP method. The MSK must be at least 64 bytes in length. In existing implementations, a AAA server acting as an EAP server transports the MSK to the authenticator.
The host which is being authenticated by the authenticator.
[RFC 2716] PPP EAP TLS Authentication Protocol.
[RFC 2869] RADIUS Extensions.
[RFC 3579] RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP).
[RFC 3748] Extensible Authentication Protocol (EAP).
[RFC 4017] Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs.
[RFC 4137] State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator.
[RFC 4186] Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM) Subscriber Identity Modules (EAP-SIM).
[RFC 4187] Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA).
[RFC 4284] Identity Selection Hints for the Extensible Authentication Protocol (EAP).
[RFC 4334] Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP) and Wireless Local Area Networks (WLAN).
[RFC 4851] The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST).
[RFC 5247] Extensible Authentication Protocol (EAP) Key Management Framework.
[RFC 5296] EAP Extensions for EAP Re-authentication Protocol (ERP).
[RFC 5421] Basic Password Exchange within the Flexible Authentication via Secure Tunneling Extensible Authentication Protocol (EAP-FAST).
[RFC 5422] Dynamic Provisioning Using Flexible Authentication via Secure Tunneling Extensible Authentication Protocol (EAP-FAST).
[RFC 5433] Extensible Authentication Protocol - Generalized Pre-Shared Key (EAP-GPSK) Method.
[RFC 5448] Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA').
[RFC 2284] PPP Extensible Authentication Protocol (EAP).
[RFC 3770] Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP) and Wireless Local Area Networks (WLAN).