Extensible Authentication Protocol, or EAP, is a universal authentication
framework frequently used in wireless networks and Point-to-Point connections.
It is defined by RFC 3748. Although the EAP protocol is not limited to wireless
LANs and can be used for wired LAN authentication, it is most often used in
wireless LANs. Recently, the WPA and WPA2 standard has officially adopted five
EAP types as its official authentication mechanisms.
EAP is an authentication framework, not a specific authentication mechanism.
The EAP provides some common functions and a negotiation of the desired
authentication mechanism. Such mechanisms are called EAP methods and there are
currently about 40 different methods. Methods defined in IETF RFCs include
EAP-MD5, EAP-OTP, EAP-GTC, EAP-TLS, EAP-IKEv2, EAP-SIM, and EAP-AKA, and in
addition a number of vendor specific methods and new proposals exist. Commonly
used modern methods capable of operating in wireless networks include EAP-TLS,
EAP-SIM, EAP-AKA, PEAP, LEAP and EAP-TTLS. Requirements for EAP methods used in
wireless LAN authentication are described in RFC 4017.
When EAP is invoked by an 802.1X enabled NAS (Network Access Server) device
such as an 802.11 a/b/g Wireless Access Point, modern EAP methods can provide
a secure authentication mechanism and negotiate a secure PMK
(Pair-wise Master Key) between the client and NAS. The PMK can then be used for
the wireless encryption session which uses TKIP or AES encryption.
EAP is not a wire protocol, instead it only defines message formats. Each
protocol that uses EAP defines a way to encapsulate EAP messages within that
protocol's messages. In the case of 802.1X, this encapsulation is called EAPOL, "
EAP over LANs".
EAP Extensible Authentication Protocol RFC 3748
EAP State Machine RFC 4137
RADIUS (Remote Authentication Dial In User Service)
RFC 2865 RADIUS Standards Document
Diameter the proposed successor to RADIUS