Can someone explain me EAP?

yzT

I know that EAP is a protocol used for communications and that in the scope of the Security+ we should know that LEAP was developed by Cisco based on CHAP, and the PEAP is a secure implementation which encrypts the conversation using TLS.

However, what is the purpose of EAP? Is a kind of three-hand-shake but on layer 2 rather than on layer 3?

DeezyFF

I just recently passed my security + and I can't really answer that. For the exam i did need to know that EAP is an Authentication protocol and that it transmits in plaintext (unsecure). PEAP is the secure version.

Hopes this help you for the exam.

MiikeB

EAP is only a framework and not a specific mechanism. It only defines things like message format. It does not in and of itself define key parameters or encapsulation protocols.

docrice

Extensible Authentication Protocol is a generic procedure definition that allows you to choose from a variety of available authentication processes rather than being locked into a single vendor-defined method. It's like every car manufacturer starting with the exact same structural frame design, but then each manufacturer puts in their own engine, transmission, body styling, etc. with specifications that are different from the others.

For the actual EAP methods, choices include, but is not limited to, LEAP, PEAPv0, PEAPv1, EAP-FAST, EAP-TTLS, EAP-TLS, and so on. I know the term "framework" is thrown around like it's supposed to intuitively make sense to someone who has never encountered this concept before, but that's essentially what it is - a generic definition of stages during authentication.

The specific methods (PEAPv0, EAP-TTLS/MS-CHAPv2, EAP-TTLS/PAP, EAP-TLS, EAP-MD5, etc.) may have overlapping similarities but at the implementation and troubleshooting level they have definite differences such as some doing server-side certification validation and then password-based client checking, some doing both user and server-side credential validation via certificates, some allowing additional messages through for 2-factor token verification at a specific step, and so forth. All have their pros and cons. EAP is not really a beginner's subject and they probably include it in Security+ material just so you've seen the letters "EAP" at some point.

Here's a flow diagram that I drew some years back as it applies to its use in 802.11 ("Wi-Fi") networks:

http://kimiushida.com/bitsandpieces/articles/flow_diagram_wpa-enterprise/flow_wpa_enterprise.png

After taking SANS 617, I realized there might be some small details which are incorrect in that diagram, but overall that's what it looks like.

Non-802.1X-enabled Wi-Fi connectivity (that is, WPA2-PSK) is radically different since the supplicant/client simply goes through the 4-way handshake, then send out a DHCP Discovery packet, go through the DHCP lease negotiation steps, and then finally get an IP to do stuff.

The EAP/802.1X variation goes through a more complicated set of steps, then goes through the 4-way handshake, then does the DHCP thing.

http://kimiushida.com/bitsandpieces/articles/flow_diagram_wpa-psk_4-way_handshake/flow_wpa-psk_4-way_handshake.png

Of course, WPA-PSK, WPA2-PSK, and WPA "Enterprise" (802.1X) all require the supplicant to go through the basic 802.11 association process ("link-up") before even starting on the 4-way handshake or the EAPOL-Start message.

Sound complicated? That's because it sort of is, but when you break down how authentication works behind the scenes, this isn't exactly unusual.

yzT

Well more or less is the basic idea I had with the handshake process, although actually it is 4 handshake rather than 3 xD

Rather than complicated I see it as a thorough process.

That diagram is for PEAP, isn't it? In the case of just EAP (clear text), the conversation would end at the line of EAP Request, EAP Type, right?

Darril

Great explanation, docrice.

The simplified answer jumps out when you spell out the acronym - Extensible Authentication Protocol. The primary purpose is to authenticate users or systems (authentication protocol), and the basic methods can be extended for different purposes (extensible).

As MiikeB mentions, EAP is a framework and docrice spells out how the framework is used in several implementations. I like the diagrams. Much deeper than is needed for Security+, but informative.