Can someone explain me EAP?

yzTyzT Member Posts: 365 ■■■□□□□□□□
in Security+
I know that EAP is a protocol used for communications and that in the scope of the Security+ we should know that LEAP was developed by Cisco based on CHAP, and the PEAP is a secure implementation which encrypts the conversation using TLS.

However, what is the purpose of EAP? Is a kind of three-hand-shake but on layer 2 rather than on layer 3?
· Share on FacebookShare on Twitter

Comments

  • DeezyFFDeezyFF A/N/S/P/L+, CCNA-Security, CISSP, ITILv3 Winston-Salem, NCMember Posts: 60 ■■■□□□□□□□
    I just recently passed my security + and I can't really answer that. For the exam i did need to know that EAP is an Authentication protocol and that it transmits in plaintext (unsecure). PEAP is the secure version.

    Hopes this help you for the exam.
    WGU BS-IT Security: Complete
    ​:cheers:
    · Share on FacebookShare on Twitter
  • MiikeBMiikeB Member Posts: 301
    EAP is only a framework and not a specific mechanism. It only defines things like message format. It does not in and of itself define key parameters or encapsulation protocols.
    Graduated - WGU BS IT December 2011
    Currently Enrolled - WGU MBA IT Start: Nov 1 2012, On term break, restarting July 1.
    QRT2, MGT2, JDT2, SAT2, JET2, JJT2, JFT2, JGT2, JHT2, MMT2, HNT2
    Future Plans - Davenport MS IA, CISSP, VCP5, CCNA, ITIL
    Currently Studying - VCP5, CCNA
    · Share on FacebookShare on Twitter
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Extensible Authentication Protocol is a generic procedure definition that allows you to choose from a variety of available authentication processes rather than being locked into a single vendor-defined method. It's like every car manufacturer starting with the exact same structural frame design, but then each manufacturer puts in their own engine, transmission, body styling, etc. with specifications that are different from the others.

    For the actual EAP methods, choices include, but is not limited to, LEAP, PEAPv0, PEAPv1, EAP-FAST, EAP-TTLS, EAP-TLS, and so on. I know the term "framework" is thrown around like it's supposed to intuitively make sense to someone who has never encountered this concept before, but that's essentially what it is - a generic definition of stages during authentication.

    The specific methods (PEAPv0, EAP-TTLS/MS-CHAPv2, EAP-TTLS/PAP, EAP-TLS, EAP-MD5, etc.) may have overlapping similarities but at the implementation and troubleshooting level they have definite differences such as some doing server-side certification validation and then password-based client checking, some doing both user and server-side credential validation via certificates, some allowing additional messages through for 2-factor token verification at a specific step, and so forth. All have their pros and cons. EAP is not really a beginner's subject and they probably include it in Security+ material just so you've seen the letters "EAP" at some point.

    Here's a flow diagram that I drew some years back as it applies to its use in 802.11 ("Wi-Fi") networks:

    http://kimiushida.com/bitsandpieces/articles/flow_diagram_wpa-enterprise/flow_wpa_enterprise.png

    After taking SANS 617, I realized there might be some small details which are incorrect in that diagram, but overall that's what it looks like.

    Non-802.1X-enabled Wi-Fi connectivity (that is, WPA2-PSK) is radically different since the supplicant/client simply goes through the 4-way handshake, then send out a DHCP Discovery packet, go through the DHCP lease negotiation steps, and then finally get an IP to do stuff.

    The EAP/802.1X variation goes through a more complicated set of steps, then goes through the 4-way handshake, then does the DHCP thing.

    http://kimiushida.com/bitsandpieces/articles/flow_diagram_wpa-psk_4-way_handshake/flow_wpa-psk_4-way_handshake.png

    Of course, WPA-PSK, WPA2-PSK, and WPA "Enterprise" (802.1X) all require the supplicant to go through the basic 802.11 association process ("link-up") before even starting on the 4-way handshake or the EAPOL-Start message.

    Sound complicated? That's because it sort of is, but when you break down how authentication works behind the scenes, this isn't exactly unusual.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
    · Share on FacebookShare on Twitter
  • yzTyzT Member Posts: 365 ■■■□□□□□□□
    Well more or less is the basic idea I had with the handshake process, although actually it is 4 handshake rather than 3 xD

    Rather than complicated I see it as a thorough process.

    That diagram is for PEAP, isn't it? In the case of just EAP (clear text), the conversation would end at the line of EAP Request, EAP Type, right?
    · Share on FacebookShare on Twitter
  • DarrilDarril Member Posts: 1,588
    Great explanation, docrice.

    The simplified answer jumps out when you spell out the acronym - Extensible Authentication Protocol. The primary purpose is to authenticate users or systems (authentication protocol), and the basic methods can be extended for different purposes (extensible).

    As MiikeB mentions, EAP is a framework and docrice spells out how the framework is used in several implementations. I like the diagrams. Much deeper than is needed for Security+, but informative.
    Darril Gibson
    CompTIA A+, Network+, Security+ Blogs
    Daily Network+ and Security+ Test Taking Tips on Twitter
    · Share on FacebookShare on Twitter
Sign In or Register to comment.