Sunday, March 20, 2016

Different EAP

* Cisco purely password-based Lightweight EAP(LEAP).

* Other vendors&Microsoft, use EAP and Transport Layer Security (EAP-TLS), which carries out authentication through digital certificates.

If EAP-TLS is being used, the authentication server and wireless device exchange digital certificates for authentication purposes.

When EAP-TLS is being used, the steps the server takes to authenticate to the wireless device are basically the same as when an SSL connection is being set up between a web server and web browser. Once the wireless device receives and validates the server’s digital certificate, it creates a master key, encrypts it with the server’s public key, and sends it over to the authentication server. Now the wireless device and authentication server have a master key, which they use to generate individual symmetric session keys. Both entities use these session keys for encryption and decryption purposes, and it is the use of these keys that sets up a secure channel between the two devices.

* Protective EAP (PEAP), where only the server uses a digital certificate.


 If PEAP is being used instead, the user of the wireless device sends the server a password and the server authenticates to the wireless device with its digital certificate.

* EAP-TTLS provides authentication that is as strong as EAP-TLS, but it does not require user certificate. however require server certificates.


User authentication is performed by password, but the password credentials are transported in a securely encrypted tunnel established based upon the server certificates.

* EAP-Tunneled TLS (EAP-TTLS) is an EAP protocol that extends TLS.