Extensible Authentication Protocol: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 12:48, 25 June 2023 edit Kvng (talk \| contribs) Extended confirmed users, New page reviewers 116,056 edits m caps ← Previous edit		Latest revision as of 12:02, 4 August 2025 edit undo Mad Jim Bey (talk \| contribs) Extended confirmed users 2,690 edits Reverting edit(s) by 2A01:5EC0:B802:6196:B94B:9B56:F7D7:F8AF (talk) to rev. 1288312694 by Eveninglatte: Disruptive editing (RW 16.1) Tags: RW Undo
(12 intermediate revisions by 10 users not shown)
Line 1: {{Short description\|Authentication protocol for the point-to-point protocol}} '''Extensible Authentication Protocol''' ('''EAP''') is an authentication framework frequently used in network and internet connections. It is defined in {{IETF RFC\|3748}}, which made {{IETF RFC\|2284}} obsolete, and is updated by {{IETF RFC\|5247}}. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a [[wire protocol]]; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages. EAP is in wide use. For example, in [[IEEE 802.11]] (~~WiFi~~Wi-Fi) the WPA and WPA2 standards have adopted IEEE 802.1X (with various EAP types) as the canonical authentication mechanism. ==Methods== Line 62: ;Symmetric keys: High-entropy bit strings that are known to both the server and the peer. It is possible to use a different authentication [[credential]] (and thereby technique) in each direction. For example, the EAP server authenticates itself using public/private key pair and the EAP peer using symmetric key. ~~In particular~~However, not all of the ~~following~~nine theoretical combinations are expected toin bepractice. ~~used~~Specifically, inthe ~~practice~~standard {{IETF RFC\|5106}} lists four use cases: The server authenticating with an asymmetric key pair while the client uses any of the three methods; and that both sides use a symmetric key. EAP-IKEv2 is described in {{IETF RFC\|5106}}, and a [http://eap-ikev2.sourceforge.net prototype implementation] exists. Line 82: \|} When automatic PAC provisioning is enabled, EAP-FAST has a ~~slight~~ vulnerability where an attacker can intercept the PAC and use that to compromise user credentials. This vulnerability is mitigated by manual PAC provisioning or by using server certificates for the PAC provisioning phase. It is worth noting that the PAC file is issued on a per-user basis. This is a requirement in {{IETF RFC\|4851}} sec 7.4.4 so if a new user logs on the network from a device, a new PAC file must be provisioned first. This is one reason why it is difficult not to run EAP-FAST in insecure anonymous provisioning mode. The alternative is to use device passwords instead, but then the device is validated on the network not the user. Line 126: ==Encapsulation== EAP is not a wire protocol; instead it only defines message formats. Each protocol that uses EAP defines a way to [[Encapsulation (networking)\|encapsulate]] EAP messages within that protocol's messages.<ref>{{~~Cite~~cite book \| doi=10.1007/0-387-23483-7_189 \| chapter=HTTPS, Secure HTTPS \|~~work~~ title=~~SpringerReference~~Encyclopedia of Cryptography and Security \|~~publisher~~ date=~~Springer-Verlag~~2005 \|~~doi~~ last1=~~10.1007/springerreference_292~~Pedersen \|~~title~~ first1=~~Springer~~Torben ~~''Reference''~~\|~~year~~ pages=~~2011~~268–269 \| isbn=978-0-387-23473-1 }}</ref><ref>{{Citation\|last=Plumb, Michelle \|title=CAPPS : HTTPS Networking\|oclc=944514826}}</ref> ===IEEE 802.1X===