17. Extensible Authentication Protocol (EAP) Previous topic Parent topic Child topic Next topic

Extensible Authentication Protocol (EAP) is a standard for defining and extending authentication protocols. EAP is defined by RFC 3748, and RFC 2869 defines how EAP authentication messages are carried in RADIUS packets. Radiator complies with these standards, and can be extended to handle any EAP-compliant protocol. Because EAP is designed to be easily extensible, a number of EAP protocols have been defined for various special requirements This includes mutual authentication between client and RADIUS server, and encryption of the authentication conversation. EAP over RADIUS is commonly used as the authentication protocol for 802.1X wired and wireless networks. For more information, see IETF website Opens in new window
Conventional RADIUS requests send the User-Name in one RADIUS attribute and the User-Password in another attribute. All EAP-over-RADIUS requests send their authentication information in the EAP-Message attribute. Usually the client sends some EAP protocol information in the EAP-Message attribute in a RADIUS Access-Request message, and the RADIUS server asks for some more information from the client by sending back another EAP-Message in a RADIUS Access-Challenge. When the server has enough information from the client, the RADIUS server replies with an Access-Accept or an Access-Reject message. Some EAP protocols, such as TLS, TTLS and PEAP, often require a number of messages (10 or more) to be exchanged between client and RADIUS server during authentication. Such a group of EAP-over-RADIUS messages while authenticating a user is called a conversation.
Note that many EAP protocols hide or encrypt the identity of the real user name of the user being authenticated, and send a generic name (typically anonymous) as the visible User-Name in the RADIUS requests.
Radiator supports several EAP protocols. This section describes their characteristics and how Radiator can be configured to support them. In order to configure Radiator to support EAP, the relevant AuthBy clauses must have the EAPType parameter set to the names of the EAP types that you need to support. In addition, a number of other special configuration parameters may have to be set in order to support those EAP types. An AuthBy clause can be configured to accept more than one EAP type. When that is the case, the first one in the list will be the default EAP method offered to the client. The client can accept the offered method or request another EAP method. If the requested method is one of the methods named in the EAPType parameter, then EAP authentication continues with that method.
There are many example configuration files covering various EAP authentication requirements in the goodies/ directory of the Radiator distribution. See goodies/README for details.