To improve the security of Authentication phase in wireless client connections 802.1X & EAP (Extensible Authentication Protocol) has been introduced into wireless standards. There are 3 key roles in this process. Client, Authentication server & Authenticator (WLC in Unified deployment or AAP in Autonomous deployment)
Usually 802.1x communication happens between Client & Authenticator where as Authenticator to Authentication server it would be RADIUS protocol. EAP defines headers for the typical packets used in an authentication exchange between Client & Authentication Server.
As shown in the above, there are 4 different type of EAP packets exchange between client & server.
1. EAP Request : Used by Authenticator to ask supplicant’s identity
2. EAP Response: Used by Supplicant to send requested information
3. EAP Success : Used by Authenticator to indicate authentication succeeded.
4. EAP Failure : Used by Authenticator to indicate authentication failed.
There are 3 common EAP types available & depend on Clients & Authentication server’s capability it will choose a EAP type to associate with a wireless network.
1. EAP-FAST (EAP- Flexible Authentication via Secure Tunnel)
2. PEAT (Protected Extensible Authentication Protocol)
3. EAP-TLS (EAP- Transport Layer Security)
With all EAP methods, Open System authentication first takes place with an Authentication Request, Authentication Response, Association Request & Association Response. Once Open System Authentication phase completes, EAP starts.
During authentication, the client & RADIUS server derive a PMK (Pairwise Master Key) for data encryption. This key is unique to each session of a given client. For broadcast & multicast traffic it will use a GTK (Group Transient Key) which is common to all clients.
Out of the 3 EAP methods, EAP-TLS would be the most secured method. Both Client & Authentication Server use certifcates through a PKI (Public Key Infrastructure). Though it is most secure, client certificate management would be a burden. Below show the EAP-TLS packet flow.
In PEAP, supplicant does not have a certificate which reduce the administrative burden of implementing EAP-TLS. PEAP exist in two flavors
1. PEAPv0 -MSCHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2)
2. PEAPv1 -GTc (Generic Token Card)
Out of the 3 method EAP-FAST is Cisco’s version of implementation. It uses PAC (Protected Access Credential) file instead of certificate. The PAC contain server Authority ID (A-ID), a client encryption/decryption key & a PAC opaque section with encrypted client key. Only EAP-FAST server generate PAC can decrypt PAC Opaque section. There are 3 phases (called 0,1 & 2) of EAP-FAST show in the below (Phase 0 in the first diagram & Phase 1-2 in second diagram).