EAP Overview
(Extensible Authentication Protocol)
Team Golmaal:
Vaibhav Sharma Vineet Banga
Manender Verma
Lovejit Sandhu
Abizar Attar
Contents:• Introduction
• Architecture
• Features
• Implementations
– Cisco LEAP– EAP-TLS– EAP-MD5– PEAP– Other Subtypes
• Comparison Chart
2CmpE 209 Team Golmaal
Introduction
• What is EAP?– Defined by RFC 2284 and 3748– Universal Authentication Framework– Mainly used in Wireless Networks and Point to
point connections– A flexible protocol used to carry arbitrary authentication
information.– Typically rides on top of another protocol such as 802.1x
or RADIUS
3CmpE 209 Team Golmaal
EAP Architecture
4CmpE 209 Team Golmaal
EAP Features• Provides some common functions and a negotiation of the desired
authentication mechanism called methods.
• Currently there are about 40 different methods
• Methods defined in IETF RFCs include – EAP-MD5 – EAP-OTP– EAP-GTC– EAP-TLS– EAP-IKEv2 and in addition a number of vendor specific methods and new
proposals exist
• Commonly used modern methods capable of operating in wireless networks include EAP-TLS, EAP-SIM, EAP-AKA, PEAP, LEAP and EAP-TTLS
5CmpE 209 Team Golmaal
Cisco LEAP• Lightweight Extensible Authentication Protocol also known
as Cisco-Wireless EAP
• Proprietary wireless LAN authentication method developed by Cisco Systems.
• Provides username/password-based authentication between a wireless client and a RADIUS server like Cisco ACS or Interlink AAA
• Among a few protocols used with the IEEE 802.1X standard for LAN port access control.
6CmpE 209 Team Golmaal
Architecture of LEAP
Access Point
ClientACS Server
7CmpE 209 Team Golmaal
LEAP Process
8CmpE 209 Team Golmaal
Limitations of LEAP
• Uses a modified authentication protocol version of MS-CHAP in which user credentials are not strongly protected.
• Can be susceptible to eavesdropping.• For more robust implementations use of
cryptography is necessary for securing user credentials
9CmpE 209 Team Golmaal
ASLEAP
10CmpE 209 Team Golmaal
Cisco’s Response to Limitation of LEAP
• Suggests that network administrators to have either of the two reactive techniques:
– Force users to have stronger, more complicated passwords
– Switch to alternative protocol developed by Cisco (EAP-FAST) for more security.
11CmpE 209 Team Golmaal
EAP TLS
• An Internet Engineering Task Force (IETF) standard (RFC 2716) that is
based on the TLS protocol (RFC 2246) • Considered extension to SSL
• Uses digital certificates for both user and server authentication • It uses PKI to secure communication to the RADIUS authentication server • EAP-TLS is the original standard wireless LAN EAP authentication protocol • Supported my all operating systems and network appliances.
12CmpE 209 Team Golmaal
EAP Authentication Process in wireless network
EAP-TTLS (Extension of EAP-TLS)
• Extends EAP-TLS
• Securely tunnels Client authentication within TLS records
• TTLS requires only server-side certificates but in EAP TLS more certificates are used
• These certificates are used for one-way TLS authentication (network to user), and once you have a nice, safe, encrypted and integrity-checked channel, you can use EAP inside of the TLS tunnel for any other authentication
14CmpE 209 Team Golmaal
PEAP• PEAP is an IETF draft RFC authored by Cisco Systems, Microsoft, and RSA
Security • A method to securely transmit authentication information, including
passwords, over wired or wireless networks• Uses a digital certificate only for server authentication• Very similar to TTLS! • A TLS tunnel is established, and another EAP session takes place inside• For user authentication, PEAP supports various EAP-encapsulated
methods within a protected TLS tunnel • PEAP sub-types - PEAPv0/EAP-MSCHAPv2 - PEAPv1/EAP-GTC
15CmpE 209 Team Golmaal
PEAP authentication process
16CmpE 209 Team Golmaal
EAP MD5• One of the most simple EAP types that can be used. Uses MD5
hashing.
• EAP-MD5 offers no key management or dynamic key generation, requiring the use of static WEP keys
• Okay for wired LANs, offers minimal security in wireless
• Vulnerable to dictionary attacks, and does not support mutual authentication or key generation
• Unsuitable with dynamic WEP, or WPA/WPA2 enterprise
17CmpE 209 Team Golmaal
Other EAP Subtypes• EAP-PSK: pure symmetric-key EAP• EAP-IKEv2: EAP authentication method based on the Internet Key
Exchange Protocol version 2 (IKEv2) • EAP-FAST: Flexible Authentication via Secure Tunneling (it is a proposal by
Cisco Systems to fix the weaknesses of LEAP) • EAP-SIM: Used for authentication and session key distribution using the
Global System for Mobile Communications (GSM) Subscriber Identity Module (SIM)
• EAP-AKA: It is for UMTS Authentication and Key Agreement is used for authentication and session key distribution using the Universal Mobile Telecommunications System (UMTS)
18CmpE 209 Team Golmaal
EAP-MD5 LEAP EAP-TLS EAP-TTLS PEAP
ServerAuthentication
None Password Hash Public Key (Certificat
e)
Public Key (Certificat
e)
Public Key (Certificat
e)
SupplicantAuthentication
Password Hash Password Hash Public Key(Certificate or
Smart Card)
CHAP, PAP, MS-CHAP(v2),
EAP
Any EAP, like EAP-MS-
CHAPv2 or Public Key
Dynamic Key Delivery
No Yes Yes Yes Yes
Security Risks Identity exposed, Dictionary
attack, Man-in-
the-Middle (MitM) attack, Session
hijacking
Identity exposed, Dictionary
attack
Identity exposed
MitM attack MitM attack; Identity
hidden in Phase 2
but potential exposure in Phase 1
Comparison Chart
19CmpE 209 Team Golmaal
References• http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol
• http://www.wifiplanet.com/tutorials/article.php/3075481
• http://wireless.utk.edu/documentation/papers/802.1x-chris.pdf
• http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/networking_solutions_white_paper09186a008009c8b3.shtml
• http://searchnetworking.techtarget.com/originalContent/0,289142,sid7_gci843996,00.html
• http://asleap.sourceforge.net
20CmpE 209 Team Golmaal