- Authentication framework that provides a method for devices to prove their identity before accessing network resources
- Works at Layer 2 (Data Link) and integrates with upper layer protocols for comprehensive security
- Extensible design allows multiple authentication methods within the same framework
- Commonly used with 802.1X for port-based network access control
EAP Operation Flow
- Supplicant (client device) requests network access
- Authenticator (switch/AP) forwards authentication requests to authentication server
- Authentication Server (RADIUS/TACACS+) validates credentials and sends accept/reject
- Authenticator grants or denies network access based on server response
Common EAP Methods
| EAP Method | Authentication Type | Security Level | Use Case |
|---|---|---|---|
| EAP-MD5 | Password hash | Low | Legacy systems only |
| EAP-TLS | Certificate-based | High | High-security environments |
| EAP-TTLS | Tunneled password | Medium-High | Mixed certificate/password |
| PEAP | Protected password | Medium-High | Windows Active Directory |
| EAP-FAST | Cisco proprietary | Medium-High | Cisco wireless networks |
802.1X Integration
- Port-based authentication - physical or logical ports remain in unauthorized state until authentication succeeds
- Uses three key components: supplicant software, authenticator hardware, authentication server
- Dynamic VLAN assignment possible based on user credentials or group membership
- Supports both wired (switch ports) and wireless (SSID) implementations
RADIUS Integration
- EAP messages encapsulated in RADIUS Access-Request/Access-Challenge packets
- Authentication server performs actual credential verification
- Accounting features track user sessions and network usage
- Standard UDP ports: 1812 (authentication), 1813 (accounting)
Vocabulary
Supplicant: Client software/hardware that requests network access and provides credentials
Authenticator: Network device (switch/AP) that controls access and forwards authentication requests
EAPoL (EAP over LAN): Protocol that carries EAP messages over Ethernet networks
MSK (Master Session Key): Cryptographic key generated during EAP authentication for securing subsequent communications
PMK (Pairwise Master Key): Key derived from MSK used in wireless networks for encryption
Notes
- EAP is a framework, not a single protocol - always specify which EAP method when configuring
- Certificate-based methods (EAP-TLS) provide strongest security but require PKI infrastructure
- Guest networks typically bypass EAP authentication entirely using captive portals
- EAP-FAST uses Protected Access Credentials (PACs) instead of certificates - easier deployment but Cisco-specific
- Critical limitation: EAP-MD5 provides no mutual authentication and is vulnerable to dictionary attacks
- Fallback authentication often configured for devices that don’t support 802.1X (printers, IoT devices)
- PEAP creates TLS tunnel first, then sends password authentication - protects credentials in transit
- Troubleshooting tip: Use
debug dot1xanddebug radiuscommands to trace authentication failures - MAC address bypass commonly used as fallback when EAP authentication fails
- Authentication timeouts typically 30-60 seconds - adjust based on network latency to RADIUS servers