Today I will talk about EAP (Extensible Authentication Protocol)

It was initially designed as a common method that regardless of what you choose to use for the supplicant, whether you used usernames and passwords, smart cards, biometrics, or whatever, it was a way in which the supplicant could encapsulate and secure the transmission of information to the authenticator.

In that way, the authenticator can encapsulate and encrypt information that goes to the authentication server. This was its purpose, so it did not care what you were using, it was designed to secure communications.

So it is a layer 2 protocol EAP, typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP. The IP address does not necessarily have to be known.

Some versions of EAP are proprietary, for example, Cisco used LEAP (Lightweight Authentication Protocol) for a time, which means you could only use Cisco products with it.

Since we are communicating over layer 2, we generally consider that to be EAP over LAN. You might see it as EAPOL, which is EAP over LAN. Let's talk about the basic flow of EAP over LAN and the messages. Basically, everything we do is a packet; it's the encapsulation of a frame encapsulated in an extensible authentication protocol.

EAPOL Messages

👉 EAPOL Packet

👉 EAPOL Start

👉 EAPOL Logoff

👉 EAPOl Key

👉 EAPOL Encapsulated ASF Alert

Usually, when we first begin, the supplicant up here is going to be the one to initiate the conversation. So we are going to have an EAPOL start message.

Like I said, it is an optional frame, but it was designed because very rarely does the access point reach out to clients to invite them. Authenticators are usually contacted by clients.

We may at some point say that we are logging off, which is a way to shutdown the virtual ports and end the EAP session. A disadvantage of this is that hackers might try to emulate it as a denial of service attack.

EAPOL key is a frame that is used to create or exchange dynamic keys. Understanding the basics of the process is important. To make that process work, we usually describe it as a four-way handshake (that I will discuss later )

Basically, this frame allows you to send alerts. Alerts can be like sending an SNMP trap, or perhaps I want to send a message to a network management server about a virtual port or someone being associated with us via the EAP protocol, or anything else related to accounting or logging.

#cisco #cisconetworking #networkengineer #wirelesscommunications #eap #frankfurt