17.14. EAP PWD Previous topic Parent topic Child topic Next topic

EAP PWD provides strong encryption and mutual authentication between supplicant and server based on a shared password. It is described in RFC 5931. Based on the peruser password, the server and supplicant derive strong cryptographic keys and authenticate each others knowledge of the password. The derived keys can be used for dynamic WEP and WPA keys.
EAP PWD is highly secure (the password is never transmitted, even in encrypted form), and does not require PKI certificates, and also requires only 3 authentication roundtrips. Further, it is not encumbered by intellectual property issues. So it is considered efficient to roll out in e.g. eduroam and other environments.
Authentication of EAP PWD by Radiator depends in having access to the user’s plaintext password:
username    User-Passsword=fred
EAP PWD can be used with any Radiator user database that supports a plaintext User- Password. Requires OpenSSL 0.9.8i libraries or later, Crypt::OpenSSL::EC and Crypt::OpenSSL::Bignum 0.06 or later.
Crypt::OpenSSL::EC and Crypt::OpenSSL::Bignum may not be readily available for Windows. We recommend Linux or Unix hosts for deployment or EAP PWD.