10.3. EAP-XXX

The EAP framework is simply a facilitator for providing a forum that allows the peer and the EAP server to negotiate the authentication method and later perform the authentication exchange itself through a dumb proxy authenticator (NAS).

The EAP itself does not perform the actual authentication; rather, EAP is augmented with an authentication method that has its own requirements and procedures. EAP request and response messages are used to carry the information required for this authentication method between the peer and the server until the EAP server indicates to the NAS success or failure for the authentication process. In this section we will explain the mechanics of carrying the messages for a generic authentication method.

Let us say that during the initial EAP request and response exchange, the peer and the EAP server agree to choose the authentication method XXX, which may or may not be a mutual authentication process. When EAP is deployed to help the peer and the authentication server to perform authentication mechanism XXX, it is customary to say that an EAP-XXX authentication has been performed, where XXX is the actual authentication method, whose exchanges are carried over EAP messages. Examples of EAP-XXX are EAP-TLS, EAP-TTLS and EAP-SIM. Also Cisco has provided LEAP (lightweight EAP) and PEAP (protected EAP). We will come back to these processes later on. But for now let us see how generic EAP-XXX messages are treated in the EAP framework.

Figure 10.4 ...

Get AAA and Network Security for Mobile Access: Radius, Diameter, EAP, PKI and IP Mobility now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.