Extensible Authentication Protocol Overview
The Extensible Authentication Protocol (EAP) is an Internet Engineering Task Force (IETF) standard described in Request for Comments 3748 that provides an infrastructure for network access clients and authentication servers to host plug-in modules for current and future authentication methods and technologies.
Microsoft® Windows® uses EAP to authenticate network access for Point-to-Point Protocol (PPP) connections (dial-up and virtual private network) and for IEEE 802.1X-based network access to authenticating Ethernet switches and wireless access points (APs).
EAP was originally created as an extension to PPP to allow for the development of arbitrary network access authentication methods. With PPP authentication protocols such as Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), and MS-CHAP version 2 (MS-CHAP v2), a specific authentication mechanism is chosen during the link establishment phase. During the authentication phase, the negotiated authentication protocol allows the exchange of information about the credentials of the connecting client. The authentication protocol is a fixed series of messages sent in a specific order.
With EAP, the specific authentication mechanism is not chosen during the link establishment phase of the PPP connection; instead, the PPP peers negotiate to perform EAP during the connection authentication phase. When the connection authentication phase is reached, the peers negotiate the use of a specific EAP authentication scheme known as an EAP method.
After the EAP method is agreed upon, EAP allows for an open-ended exchange of messages between the access client and the authenticating server that can vary based on the parameters of the connection. The conversation consists of requests and responses for authentication information. The EAP method determines the length and details of the authentication conversation.
Architecturally, an EAP infrastructure consists of the following:
EAP peer Computer that is attempting to access a network, also known as an access client.
EAP authenticator An access point or network access server (NAS) that is requiring EAP authentication prior to granting access to a network.
Authentication server A server computer that negotiates the use of a specific EAP method with an EAP peer, validates the EAP peer's credentials, and authorizes access to the network. Typically, the authentication server is a Remote Authentication Dial-In User Service (RADIUS) server.
EAP is extensible through EAP methods that plug-in at both the EAP peer and authenticating server ends of a connection. To add support for a new EAP method, you install an EAP method library file on both the EAP peer and the authenticating server. This capability to extend EAP provides vendors with the opportunity to create new authentication schemes. EAP provides the highest flexibility to allow for more secure authentication methods.
The EAP peer and the EAP authenticator send EAP messages using a supplicant-a software component that uses EAP to authenticate network access-and a data link layer transport protocol such as PPP or IEEE 802.1X. The EAP authenticator and the authentication server send EAP messages using RADIUS. The end result is that EAP messages are exchanged between the EAP components on the EAP peer and the authentication server. The following figure shows EAP infrastructure and information flow.
Because the logical communication of EAP messages is between the EAP components on the EAP peer and the authentication server, the EAP authenticator does not need to support any specific EAP methods.
You can use EAP to support authentication schemes such as Generic Token Card, One Time Password (OTP), Message Digest 5 (MD5)-Challenge, Transport Layer Security (TLS) for smart card and digital certificate-based authentication, and future authentication technologies. EAP is a critical technology component for establishing secure connections.
In addition to support within PPP, EAP is supported within the IEEE 802 link layer. The IEEE 802.1X standard defines how EAP is used for authentication by IEEE 802 devices, including IEEE 802.11 wireless APs and authenticating Ethernet switches. IEEE 802.1X differs from PPP in that only EAP authentication methods are supported.
EAP Support in Different Versions of Windows
EAP support in Microsoft Windows began with Windows 2000, which supported the following EAP methods:
EAP-Message Digest 5 Challenge Handshake Authentication Protocol (EAP-MD5 CHAP)
EAP-Transport Layer Security (EAP-TLS)
Security Dynamics’ ACE/Agent for Windows 2000 (in the \Valueadd folder of the Windows 2000 Server product CD)
Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server 2003, and Windows 2000 Service Pack 4 also support the following EAP methods:
Protected EAP (PEAP)
You can develop additional EAP methods for computers running Windows XP, Windows Server 2003, or Windows 2000 with the Extensible Authentication Protocol API.
Although EAP provides authentication flexibility through the use of EAP methods, the entire EAP conversation might be sent as clear text (unencrypted). A malicious user with access to the media can inject packets into the conversation or capture the EAP messages from a successful authentication for offline analysis. This security issue is especially problematic for wireless connections, in which the malicious user can be located outside of your business or premises. EAP occurs during the IEEE 802.1X authentication process, before wireless frames are encrypted with Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), or Wired Equivalent Privacy (WEP).
PEAP is an EAP method that addresses this security issue by first creating a secure channel that is both encrypted and integrity-protected with TLS. Then, a new EAP negotiation with another EAP method occurs within the secure channel, authenticating the network access attempt of the access client. Because the TLS channel protects EAP negotiation and authentication for the network access attempt, password-based authentication protocols such as MS-CHAP v2 that are normally susceptible to an offline dictionary attack can be used for wireless LAN authentication.
For computers running Windows, the EAP peer (access client) is a computer attempting a connection and the authentication server is a computer running Windows Server 2003 or Windows 2000 Server and either the Routing and Remote Access service (for remote access and site-to-site connections when the Routing and Remote Access service is configured for local authentication) or the Internet Authentication Service (IAS) (for all types of connections).
To configure a specific type of connection on an access client computer for EAP authentication, select an EAP method, and configure the properties of an EAP method, do one of the following:
For dial-up and VPN-based remote access connections, right-click the remote access connection in the Network Connections or Network and Dial-up Connections folder, click Properties, click the Security tab, click Advanced (custom settings), and then click Settings.
For dial-up and VPN-based site-to-site connections, right-click the demand-dial connection in the Network Interfaces node in the Routing and Remote Access snap-in, click the Security tab, click Advanced (custom settings), and then click Settings.
For wireless connections on computers running Windows XP with no service packs installed, right-click the wireless connection in the Network Connections folder and then click the Authentication tab.
For wireless connections on computers running Windows XP with Service Pack 1, Windows XP with Service Pack 2, or Windows Server 2003, right-click the wireless connection in the Network Connections folder, click the Wireless Networks tab, click the name of the preferred wireless network, click Properties, and then click the Authentication tab.
For wired connections on computers running Windows XP, Windows Server 2003, and Windows 2000 with Service Pack 4, right-click the wired connection in the Network Connections folder and then click the Authentication tab.
To configure IAS to use a specific EAP method and configure the properties of an EAP method, do the following:
- In the tree of the Internet Authentication Service snap-in, click Remote Access Policies. In the details pane, right-click the appropriate remote access policy, click Properties, click Edit Profile, click the Authentication tab, and then click EAP Methods.
To configure Routing and Remote Access to use a specific EAP method for a remote access or site-to-site connection and configure the properties of an EAP method, do the following:
In the console tree of the Routing and Remote Access snap-in, right-click the server name, click Properties, click the Security tab, click Authentication Methods, and then select the Extensible authentication protocol (EAP) checkbox.
In the console tree of the Routing and Remote Access snap-in, click Remote Access Policies. In the details pane, right-click the appropriate remote access policy, click Properties, click Edit Profile, click the Authentication tab, and then click EAP Methods.
EAP Methods for Different Types of Network Access
The following table lists the different types of access and the available EAP methods you can use.
Type of Network Access
Available EAP Methods
Dial-up remote access or site-to-site connections
EAP-MD5 CHAP, EAP-TLS
Virtual private network remote access or site-to-site connections
EAP-MD5 CHAP, EAP-TLS
802.1X authentication to an authenticating switch (wired)
EAP-MD5 CHAP, PEAP-MS-CHAP v2, EAP-TLS, PEAP-TLS
802.1X authentication to a wireless AP
PEAP-MS-CHAP v2, EAP-TLS, PEAP-TLS
For more information about different EAP methods, see the IEEE 802.11 Wireless LAN Security with Microsoft Windows XP white paper.
Resources for Using EAP in Network Access Scenarios
The following links are for white papers and articles that describe how to use and configure EAP for different types of network access: