Overview

EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections. Although EAP is not limited to wireless LANs and can be used for wired LAN authentication, it is most often used in wireless LANs. The WPA and WPA2 standard has adopted five EAP types as its official authentication mechanisms.

EAP is an authentication framework, not a specific authentication mechanism. It provides some common functions and negotiation of authentication methods, called EAP methods. There are currently about 40 different methods defined. Methods defined in IETF RFCs include EAP-MD5, EAP-OTP, EAP-GTC, EAP-TLS, EAP-IKEv2, EAP-SIM, and EAP-AKA, and in addition a number of vendor specific methods and new proposals exist. Commonly used modern methods capable of operating in wireless networks include EAP-TLS, EAP-SIM, EAP-AKA, PEAP,LEAP and EAP-TTLS.

When EAP is invoked by an 802.1X enabled Network Access Server (NAS) device such as an 802.11 Wireless Access Point, modern EAP methods can provide a secure authentication mechanism and negotiate a secure Pair-wise Master Key (PMK) between the client and NAS. The PMK can then be used for the wireless encryption session which uses TKIP or CCMP(based on AES) encryption.

EAP is not a wire protocol; instead it only defines message formats. Each protocol that uses EAP defines a way to encapsulate EAP messages within that protocol's messages. In the case of 802.1X, this encapsulation is called EAPOL, "EAP over LANs".

  Architecture of Backend EAP stack

WiEAP Architecture is a high level presentation of the EAP STACK. Each block in diagram represents the software block in functionality of EAP STACK. When EAP request comes from peer (supplicant or authenticator) to RADIUS to grant its credentials in EAP message, RADIUS forwards EAP messages to the backend EAP STACK. EAP packet processing module parses the EAP RADIUS attributes and EAP header which is common across all the EAP methods and then depending on EAP method types it invokes appropriate EAP METHOD modules to do rest of the handling of packet. It also performs some high level validations of RADIUS EAP attributes and some sanity checking of packet. EAP Parser parses EAP header of incoming EAP packet. EAP parser makes sure that RADIUS side of EAP stack is always response type. This block also allocates memory for incoming packets and then delivers the packets to appropriate method. This is very tiny block which does only high level validation of common EAP attributes. Rest of the method specific validation is done in method specific blocks. The EAP builder builds common packets for all EAP methods i.e. EAP Success and EAP Failure, NAK, Identity etc. EAP config holds common configuration for all EAP methods. All common configurations are stored in xml formatted file. Eap Session Manager manages the EAP sessions. RADIUS provides unique Id to each object of Eap Session. An Eap stack uses same session ID internally to refer to particular session. Each Input or output to or from Eap Stack is associated with unique session ID. Eap Stacks tracks the session Id internally and depending on current status it creates or deletes the session. Session objects stores important information like username, packet ID, Session state which need to be referred many times during lifetime of session also stores and updates the time of session from its creation till it ends.

Highlights of Architecture

• Stack written in C++ with API functions and callbacks.

• Full AAA support.

• Runs on UNIX, Windows, capable to run on embedded environment and easily portable on any platform.

• Multi layered and structured modular design architectures.

• Configurable role and configurable debug.

• XML based configuration.

• Radius can use as DLL, shared library or main application.

• Extensive error handling to the application.

• Supported by libraries like Tiny XML, WiSSL and Open SSL.

• State machines and unique session management based implementation.

• Fully documented with API support.

• Eap methods are provided as library to stack as DLL or shared libraries to the main application.

• Successfully used in Wifi and Wimax environment.

• Featured as backend tool for RADIUS stack and also in different roles for SUPPLICANT (peer), AUTHENTICATOR (standalone or pass through).

• Test cases and Test Programs are ready to use.

• Using Satyav Network’s WiSSL as SSL library

• Operating system specific Libraries, i.e transmit, receive. timer, thread, packet management etc. are used.

Features

Authentication Support

• Integrated with EAP-MD5, EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-MSCHAPv1/v2.

• Second phase method support for PEAP is EAP-MD5 and EAP-MSCHAPv1/v2.

• Second phase method support for TTLS is CHAP, PAP, EAP-MD5, EAP-MSCHAPv1/v2

• Certificate configuration management.

• MS-CHAP-V2 (Microsoft version of the Challenge handshake authentication protocol).

• TLS (transport layer security) and TTLS v0 & v1.

• PEAP v0/v1/v2 (protected extensible authentication protocol).

• Supported by easily available libraries such as Tiny XML, Open SSL.

• 802.1x based state machine implementation support.

EAP-TLS and EAP-TTLS
Cipher Support Independence

• TLS-RSA-WITH-AES-256-CBC-SHA

• TLS-RSA-WITH-AES-128-CBC-SHA

• TLS-RSA-WITH-ARCFOUR-128-MD5

• TLS-RSA-WITH-ARCFOUR-128-SHA

• TLS-RSA-WITH-3DES-EDE-CBC-SHA

• TLS-RSA-WITH-DES-CBC-SHA

• TLS-DHE-RSA-WITH-AES-256-CBC-SHA

• TLS-DHE-RSA-WITH-AES-128-CBC-SHA

• TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

• TLS-DHE-RSA-WITH-DES-CBC-SHA

• TLS-DH-ANON-WITH-AES-256-CBC-SHA

• TLS-DH-ANON-WITH-AES-128-CBC-SHA

• SSL-DH-ANON-WITH-ARCFOUR-128-MD5

• SSL-DH-ANON-WITH-3DES-EDE-CBC-SHA

• SSL-DH-ANON-WITH-DES-CBC-SHA

• TLS-PSK-WITH-AES-256-CBC-SHA

• TLS-PSK-WITH-AES-128-CBC-SHA

• TLS-PSK-WITH-ARCFOUR-128-SHA

• TLS-PSK-WITH-3DES-EDE-CBC-SHA

• TLS-RSA-PSK-WITH-AES-256-CBC-SHA

• TLS-RSA-PSK-WITH-AES-128-CBC-SHA

• TLS-RSA-PSK-WITH-ARCFOUR-128-SHA

• TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA

• TLS-DHE-PSK-WITH-AES-256-CBC-SHA

• TLS-DHE-PSK-WITH-AES-128-CBC-SHA

• SSL-DHE-PSK-WITH-ARCFOUR-CBC-SHA

• SSL-DHE-PSK-WITH-3DES-EDE-CBC-SHA

• TLS-RSA-WITH-NULL-SHA

• TLS-RSA-WITH-NULL-MD5

Additional Cryptography Support

• MD5

• SHA1

Platform Independence

EAP runs on UNIX, Windows and capable of running on embedded environment and easily portable on any platform. It supports different flavors of Linux in *.so format. It supports Windows platforms in DLL format.
 

“**Not applicable for this product"

Technical specifications of EAP

• IETF based RFC Standards

  • RFC-1321, EAP MD5.

  • RFC-1334, PPP Authentication Protocols (PAP).

  • RFC-1994, PPP Challenge Handshake Authentication Protocol (CHAP).

  • RFC-2869, Extensible Authenticating Protocol (EAP).

  • RFC-2284, PPP Extensible Authentication Protocol (EAP).

  • RFC-2716, PPP EAP TLS Authentication Protocol.

  • RFC-2759, Microsoft PPP CHAP Extensions, Version 2.

  • RFC-3268, AES Cipher suites for Transport Layer Security.

  • RFC-3546, Transport Layer Security Extensions (partially supported).

  • RFC-3579, RADIUS Support for Extensible Authentication Protocol (EAP).

  • RFC-3580, IEEE 802.1x Remote Authentication Dial In User Service (RADIUS)
    Usage Guidelines.

  • RFC-3748, Extensible Authentication Protocol (EAP).

  • RFC-4137, State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator.

  • EAP PEAP (Internet Draft 5)

  • EAP TTLS ( Internet Draft 1).

  • EAP MSCHAP (Internet Draft 1).
     

• EAP Methods

  • Eap Md5.

  • Eap Peap

  • Eap Mschap

  • Eap Tls

  • Eap Ttls.

  • Eap Leap

  • Eap Sim

  •  Eap Aka
     

• Platforms

  • Standard Intel platforms.

  • Standard AMD platform.

  • Luminary Micro kit LM3S9B92.
     

• Radius Servers

  • Eap uses Satyav Networks ProRadius and RadiusLite.

  • Eap supports FreeRadius and other Open Source Radius.
     

• Operating System

  • Eap supports Windows (Xp and above), Linux and all its flavours, and MacOS.

  • Eap support is under development RTOS like SMX, iPhone and Android.
     

• Graphical User Interface

  • Eap supports GUI for windows operating system.

  • Eap GUI is developed in C#.Net code.
     

• Network Features

  • Eap supports many different types of networks.

  • Eap supports all types of WiFi networks.
     

• Dedicated Hardware

  • Luminary Micro kit LM3S9B92 with Arm Cortex-M3 processor.
     

• SSL/ TLS Libraries

  • Eap currently uses WiSsl library of Satyav networks.

  • Eap supports OpenSsl Library.
     

• Documentation

  • Eap datasheet.

  • Eap Test Cases.

  • Release Notes

  • User Guide

  • Design Document.
     

• Memory Usage

  • Eap source code shows 10-15kb memory footprint.
     

• Code Portability

  • Written in C and C++

  • Any operating system supported

  • Any hardware environment supported

  • Any dedicated device supported.