Extensible Authentication Protocol (EAP)
Extensible Authentication Protocol (EAP) is a framework for negotiating authentication methods that enables systems to use hardware-based identifiers for authentication, and establish secure tunnels through which to submit credentials.
- used when an endpoint device needs to be authenticated before it joins the network
- pre-authentication requirement scenarios:
- user is accessing a wireless network and needs to authenticate with the network directory server
- device is connecting to a network via a switch and network policies require the user to be authenticated before the device is allowed to communicate
- user is connecting to the network over a public network via a VPN
- allows many authentication methods
- often use a digital certificate on the server and/or client machines
- certs allow the machine to:
- establish a trust relationship and create a secure tunnel to transmit user credentials
- or to perform smart card authentication without a user password
- certs allow the machine to:
- often use a digital certificate on the server and/or client machines
- implements a particular authentication factor and mechanism
EAP-TLS Example
- Both the server and the wireless supplicant are issued with an encryption key pair and digital certificate.
- On the wireless device, the private key is stored securely in a trusted platform module (TPM) or USB key.
- The user must authenticate with the device using a PIN, password, or bio gesture to allow use of the key.
- This is the first factor.
- When the device associates with the network and starts an EAP session, the server sends a digital signature handshake and its certificate.
- The supplicant validates the signature and certificate and if trusted, sends its own handshake and certificate.
- This is the second factor.
- The server checks the supplicant’s handshake and certificate and authenticates it if trusted.