Description

Glossary

RFCs

Publications

Obsolete RFCs

Description:

An authentication protocol which supports multiple authentication mechanisms. EAP typically runs directly over the link layer without requiring IP and therefore includes its own support for in-order delivery and retransmission. While EAP was originally developed for use with PPP, it is also in use with IEEE 802.11.

EAP is a lock step protocol which only supports a single packet in flight. As a result, EAP cannot efficiently transport bulk data.

RFC 2284, pages 2 and 3:

By default, authentication is not mandatory. If authentication of the link is desired, an implementation MUST specify the Authentication-Protocol Configuration Option during Link Establishment phase.

These authentication protocols are intended for use primarily by hosts and routers that connect to a PPP network server via switched circuits or dial-up lines, but might be applied to dedicated links as well. The server can use the identification of the connecting host or router in the selection of options for network layer negotiations.

EAP is a general protocol for PPP authentication which supports multiple authentication mechanisms. EAP does not select a specific authentication mechanism at Link Control Phase, but rather postpones this until the Authentication Phase. This allows the authenticator to request more information before determining the specific authentication mechanism. This also permits the use of a "back-end" server which actually implements the various mechanisms while the PPP authenticator merely passes through the authentication exchange.

EAP header:

Code. 8 bits.
Specifies the function to be performed.

Identifier. 8 bits.
Used to match EAP requests and replies.

Length. 16 bits.
Size of the EAP packet including the EAP header and data fields.

Data. Variable length.
Zero or more bytes of data as indicated by the Length field.

Type. 8 bits.

Glossary:

Authenticator.
The host requiring the authentication. The authenticator specifies the authentication protocol to be used in the Configure-Request during the Link Establishment phase.

backend authentication server.
An entity that provides an authentication service to an authenticator. When used, this server typically executes EAP methods for the authenticator.

EAP server.
The entity that terminates the EAP authentication method with the peer. In the case where no backend authentication server is used, the EAP server is part of the authenticator. In the case where the authenticator operates in pass-through mode, the EAP server is located on the backend authentication server.

EMSK, Extended Master Session Key.
Additional keying material derived between the EAP client and server that is exported by the EAP method. The EMSK must be at least 64 bytes in length. The EMSK is not shared with the authenticator or any other third party. The EMSK is reserved for future uses that are not defined yet.

MIC, Message Integrity Check.
A keyed hash function used for authentication and integrity protection of data.

MSK, Master Session Key.
Keying material that is derived between the EAP peer and server and exported by the EAP method. The MSK must be at least 64 bytes in length. In existing implementations, a AAA server acting as an EAP server transports the MSK to the authenticator.

Peer.
The host which is being authenticated by the authenticator.

RFCs:

[RFC 2716] PPP EAP TLS Authentication Protocol.

• Category: Experimental.
• Defines EAP subprotocol 13 (EAP-TLS).

[RFC 2869] RADIUS Extensions.

• Category: Informational.
• Updated by:
  RFC 3579.

[RFC 3579] RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP).

• Category: Informational.
• Defines RADIUS attributes 79 (EAP-Message) and 80 for (Message-Authenticator).
• Updates:
  RFC 2869.

[RFC 3748] Extensible Authentication Protocol (EAP).

• Category: Standards Track.
• Obsoletes:
  RFC 2284.
• Updated by:
  RFC 5247.

[RFC 4017] Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs.

• Category: Informational.

[RFC 4137] State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator.

• Category: Informational.

[RFC 4186] Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM) Subscriber Identity Modules (EAP-SIM).

• Category: Informational.

[RFC 4187] Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA).

• Category: Informational.
• Defines EAP subprotocol EAP-AKA.
• Updated by:
  RFC 5448.

[RFC 4284] Identity Selection Hints for the Extensible Authentication Protocol (EAP).

• Category: Informational.

[RFC 4334] Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP) and Wireless Local Area Networks (WLAN).

• Category: Standards Track.
• Obsoletes:
  RFC 3770.

[RFC 4851] The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST).

• Category: Informational.
• Defines EAP-FAST version 1.

[RFC 5247] Extensible Authentication Protocol (EAP) Key Management Framework.

• Category: Standards Track.
• Updates:
  RFC 3748.

[RFC 5296] EAP Extensions for EAP Re-authentication Protocol (ERP).

• Category: Standards Track.
• Defines EAP commands 5 (Initiate), 6 (Finish).

[RFC 5448] Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA').

• Category: Informational.
• Defines EAP subprotocol EAP-AKA'.
• Updates:
  RFC 4187.

Publications:

Obsolete RFCs:

[RFC 2284] PPP Extensible Authentication Protocol (EAP).

• Category: Standards Track.
• Obsoleted by:
  RFC 3748.

[RFC 3770] Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP) and Wireless Local Area Networks (WLAN).

• Category: Standards Track.
• Obsoleted by:
  RFC 4334.

Description

Glossary

RFCs

Publications

Obsolete RFCs