Extensible Authentication Protocol

from Wikipedia, the free encyclopedia

The Extensible Authentication Protocol ( EAP ; German Extensible Authentication Protocol ) is one of the Internet Engineering Task Force developed (IETF), general authentication protocol supported, the different authentication methods such. B. Username / Password ( RADIUS ), digital certificate , SIM card . EAP is often used for access control in WLANs .

EAP is designed to provide generic support for authentication, i.e. H. the dial-in to create a foreign network without having to worry about the infrastructure and update it for each new authentication. EAP is widely used today and is used by different transport protocols, such as B. Point-to-Point Protocol (PPP), Remote Authentication Dial-In User Service (RADIUS) and Diameter are supported. The IEEE - 802.1X standard suggests u. a. EAP as the authentication method. Likewise, 3GPP the EAP standard for merging the GSM - with the IP over technology. EAP could also become the preferred authentication method for WiMAX authentication in the future.

advantages

Several authentication mechanisms can be used (also in sequence), which do not have to be negotiated in the connection establishment phase.

Authentication method

With EAP, the actually used authentication mechanism is only negotiated during the authentication phase, which allows the use of an authentication server. A so-called supplicant (supplicant) is a user or client who wants to register with an authentication authority for authentication, e.g. B. a mobile node when establishing a connection to a network. A so-called authenticator forwards the authentication messages from the supplicant to the authentication server. Several mechanisms can be used in a row. The authenticator has control over this and determines the procedure by means of a request. You can choose from: B. Identity query for dial-in connections, MD5 challenge ( CHAP ), one-time passwords, generic token cards, etc. After an authentication incentive ( request) from the authenticator to the supplicant, the supplicant responds with a response that contains the respective Authentication (identity (ID), password, hash value, IMSI etc.) contains. The authenticator can then request further information by means of a challenge-response procedure. The authentication is concluded with a success / failure response from the authenticator.

identity

Identification possibly by the user, d. H. by entering a user ID. A request text can be sent in the request package, which is displayed to the user before entering the ID.

notification

In the data part of the package, a message is transported to the user, which is displayed to the user. E.g. authentication error, password expiration time, ...

NAK

(NAK = No Acknowledgment / Negative Acknowledgment). This type may only appear in a response message. This signals that the peer does not support the desired authentication method.

MD5 challenge

This corresponds to CHAP with MD5 as the hash algorithm. A random value is transmitted in the request message. The response packet contains the hash value via this random value and a password known only to both parties (see also challenge-response authentication ).

One-time password

The request message contains an OTP challenge. The respective one-time password is in the response package .

TLS

To avoid the complex design of cryptographic protocols, the TLS authentication dialog is used here.

The EAP-TLS method, which can be used with all WLAN components standardized according to 802.11i, is widespread . The authenticator ( access point / router ) checks the authentication information transmitted by the potential network participant (notebook) on an authentication server ( RADIUS ).

SIM / AKA

The EAP for GSM Subscriber Identity Module or UMTS Authentication and Key Agreement ( RFC 4186 ; RFC 4187 ) is another authentication method of the Extensible Authentication Protocol that uses the GSM / UMTS SIM card for authentication. With this method, dialing into an encrypted WLAN takes place automatically, as the client (usually a mobile phone ) dials into the Triple-A system using its SIM authentication algorithm, which means that there is no need to enter a preset WLAN password .

Further procedures

There are around 40 EAP procedures, including:

  • According to RFC : EAP-MD5, EAP-OTP, EAP-GTC, EAP-TLS
  • Manufacturer -specific : EAP-TLS, EAP-SIM, EAP-AKA, PEAP, LEAP , EAP-TTLS, EAP-IKEv2

Norms and standards

  • RFC 3748 - Extensible Authentication Protocol (EAP)
  • RFC 2284 - PPP Extensible Authentication Protocol (EAP)
  • RFC 1938 - A One-Time Password System
  • RFC 4186 - Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM) Subscriber Identity Modules (EAP-SIM)
  • RFC 4187 - Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA)

Individual evidence

  1. Glossary: Extensible Authentication Protocol (EAP) , heise online
  2. What is EAP-SIM? ( Memento from April 9, 2012 in the Internet Archive )