Extensible Authentication Protocol (EAP) Explained

Extensible Authentication Protocol (EAP) is an authentication framework that is more flexible, extensible, and scalable. It does not involve any authentication method, but it specifies a set of standard functions that authentication methods can employ to authenticate users.

EAP supports the IEEE 802.1x standard. If 802.1x is enabled on a device, it restricts network access until the client authenticates. A wireless client can still connect to an AP even without authenticating. Still, it cannot send data to other parts of the network unless it authenticates successfully.

The enterprise modes of WPA, WPA2, and WPA3 support numerous EAP methods and are used to implement EAP-based authentication with 802.1x. The EAP methods must be supported on the wireless client devices and configured on the authentication server.

The Wireless LAN Controller (WLC) acts as an EAP intermediary between the clients and the authentication server. Cisco WLCs can use a local EAP server on the WLC or an external RADIUS server on the wired network.

The Extensible Authentication Protocol (EAP) authentication framework has various authentication methods available, and most of them are based on Transport Layer Security (TLS). Which method to settle on depends on the security requirements, and if the EAP method is supported by the supplicants and the authentication server. Listed below are the EAP protocol authentication methods.


EAP Challenge-Based Authentication Method

Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)

This method utilizes the MD5 message-digest algorithm to conceal the credentials in a hash. The hash is transmitted to the authentication server, where it is matched to a local hash to ensure that the credentials are accurate. Unfortunately, EEAP-MD5 lacks a mechanism for mutual authentication. The authentication server verifies the supplicant, but the supplicant does not perform server authentication to determine if it’s trustworthy. Because of the absence of mutual authentication, it is a poor option as an authentication method.


EAP TLS Authentication Method

Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)

The EAP-TLS Extensible Authentication Protocol method uses the TLS Public Key Infrastructure (PKI) certificate authentication mechanism to offer mutual authentication of the supplicant to the authentication server and vice versa. EAP-TLS requires that both the supplicant and the authentication server be issued a digital certificate signed by a certificate authority (CA) that they both trust.

Since the supplicant also needs a certificate for authentication, EAP-TLS is considered the most secure authentication method. However, it is also the most challenging method to implement because of the administrative overhead of needing to install a certificate on the supplicant side.


EAP Tunneled TLS Authentication Methods

EAP outer or tunneled TLS authentication methods, such as EAP-FAST, EAP-TTLS, and PEAP, are used by EAP inner authentication methods to tunnel within. Tunneled TLS authentication methods create a TLS outer tunnel between the supplicant and the authentication server. After the encrypted tunnel is established, the client authentication credentials are negotiated inside the TLS outer tunnel using one of the EAP inner methods.

This tunneling authentication method is quite similar to how an HTTPS session between a web browser and a secure website is established. The HTTPS TLS tunnel is built once the web browser confirms the legitimacy of the website’s certificate (one-way trust). Once the TLS tunnel is established, the user may input login credentials on the website through the secure TLS tunnel.


EAP Flexible Authentication via Secure Tunneling (EAP-FAST)

Cisco Systems created EAP-FAST as an alternative to PEAP to enable more rapid re-authentications and support for high-speed wireless roaming. EAP-FAST, like PEAP, establishes a TLS outer tunnel and then sends the client authentication credentials across that outer TLS tunnel.  EAP-FAST can also re-authenticate quicker by employing a Protected Access Credential (PAC). PAC is identical to a secure cookie stored locally on the host as proof of successful authentication.


EAP Tunneled Transport Layer Security (EAP-TTLS)

EAP-TTLS is functionally comparable to PEAP, but it is not as extensively supported. PEAP supports EAP inner authentication methods, while EAP-TTLS can support additional inner methods such as Challenge Handshake Authentication Protocol (CHAP), legacy Password Authentication Protocol (PAP), and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).


Protected Extensible Authentication Protocol (PEAP)

In Protected EAP (PEAP), only the authentication server needs a certificate. This lessens the administrative overhead of deploying EAP. PEAP will create an encrypted TLS tunnel between the supplicant and the authentication server. After establishing the tunnel, PEAP utilizes one of the following EAP authentication inner methods to authenticate the supplicant over the outer PEAP TLS tunnel:


  1. EAP Generic Token Card (EAP-GTC) (PEAPv1)

Cisco developed the EAP-GTC (PEAPv1) EAP inner method as an alternate solution to MSCHAPv2. It aims to provide generic authentications to nearly any identity store, including LDAP, NetIQ eDirectory, OTP token servers, and others.


  1. EAP Microsoft Challenge Handshake Authentication Protocol Version 2 (EAP-MSCHAPv2) (PEAPv0)

When using the EAP-MSCHAPv2 (PEAPv0) EAP inner method, the client’s credentials are encrypted and delivered to the server within an MSCHAPv2 session. This is the most commonly deployed EAP inner method, as it allows for straightforward transmission of username and password to the RADIUS server, which subsequently authenticates them using Microsoft’s Active Directory.


  1. EAP TLS

It is the most secure EAP authentication method because it is technically a TLS tunnel inside another TLS tunnel. However, it is rarely implemented since it requires certificates to be installed on the supplicants. The deployment process is complex.


EAP Chaining

EAP-FAST includes the choice of EAP chaining, which allows machine and user authentication to take place inside a single outer TLS tunnel. It permits the combination of machine and user authentication into one overall authentication result. This enables higher privileges or posture evaluations to be assigned to users who access the network using corporate-managed devices.

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: