3 Extensible Authentication Protocol (EAP)
8 Extensible Authentication Protocol(EAP), rfc2284, is a general protocol
9 that allows network access points to support multiple authentication
10 methods. Each EAP-Type indicates a specific authentication mechanism.
11 802.1x standard authenticates wireless LAN users trying to access
14 RADIUS attribute used for EAP is EAP-Message, 79(rfc2869). RADIUS
15 communicates all EAP messages by embedding them in this attribute.
18 Supplicant/EAP Client - is the software on the end-user/client machine
19 (machine with the wireless card).
20 Authenticator/NAS/Access Point(AP) - A network device providing users
21 with a point of entry into the network.
22 EAPOL - EAP over LAN as defined in 802.1x standard.
23 EAPOW - EAP over Wireless.
26 +----------+ +----------+ +----------+
27 | | EAPOL | | RADIUS | |
28 | EAP |<------>| Access |<------>| RADIUS |
29 | Client | EAPOW | Point | (EAP) | Server |
31 +----------+ +----------+ +----------+
34 The sequence of events, for EAP-MD5, runs as follows:
35 1. The end-user associates with the Access Point(AP).
36 2. The supplicant specifies AP to use EAP by sending EAP-Start.
37 3. AP requests the supplicant to Identify itself (EAP-Identity).
38 4. Supplicant then sends its Identity (username) to the AP.
39 5. AP forwards this EAP-response AS-IS to the RADIUS server.
40 (The supplicant and the RADIUS server mutually authenticate via AP.
41 AP just acts as a passthru till authentication is finished.)
42 6. The server sends a challenge to the supplicant.
43 7. The supplicant carries out a hash on the password and sends
44 this hashed password to the RADIUS server as its response.
45 8. The RADIUS server performs a hash on the password for that supplicant
46 in its user database and compares the two hashed values and
47 authenticates the client if the two values match(EAP-Success/EAP-Failure)
48 9. AP now opens a port to accept data from the end-user.
50 Currently, EAP is widely used in wireless networks than in wired networks.
51 In 802.11/wireless based networking, following sequence of events happen in
52 addition to the above EAP events.
54 10. RADIUS server and the supplicant agree to a specific WEP key.
55 11. The supplicant loads the key ready for logging on.
56 12. The RADIUS server sends the key for this session (Session key) to the AP.
57 13. The AP encrypts its Broadcast key with the Session key
58 14. The AP sends the encypted key to the supplicant
59 15. The supplicant decrypts the Broadcast key with the Session key and
60 the session continues using the Broadcast and Session keys until
64 The Implementation of EAP over RADIUS is based on the following RFCs
65 rfc2869 -- RADIUS Extensions
66 rfc2284 -- PPP Extensible Authentication Protocol (EAP)
67 rfc2716 -- PPP EAP TLS Authentication Protocol
69 Following links help to understand HOW EAP works
70 www.ieee802.org/1/mirror/8021/docs2000/ieee_plenary.PDF
75 EAP is implemented as a module in freeradius
76 and the code is placed in src/modules/rlm_eap.
77 All EAP-Types are organized as subdirectories in rlm_eap/types/.
78 Currently Freeradius supports only 2 EAP-Types (EAP-MD5, EAP-TLS).
80 Each EAP-Type, like types/rlm_eap_md5, contains a chunk of code that
81 knows how to deal with a particular kind of authentication mechanism.
83 To add a new EAP-Type then a new directory should be created as
84 rlm_eap/types/rlm_eap_XXXX, where XXXX is EAP-Type name
85 ie for EAP-Type like ONE TIME PASSWORD (OTP) it would be rlm_eap_otp
87 src/modules/rlm_eap -- contains the basic EAP and generalized interfaces
89 rlm_eap/types -- contains all the supported EAP-Types
90 rlm_eap/types/rlm_eap_md5 -- EAP-MD5 authentication.
91 rlm_eap/types/rlm_eap_tls -- EAP-TLS based authentication.
92 rlm_eap/types/rlm_eap_leap -- Cisco LEAP authentication.
93 rlm_eap/types/rlm_eap_sim -- EAP-SIM (GSM) based authentication
97 Add the eap configuration stanza to the modules section in radiusd.conf
98 to load and control rlm_eap and all the supported EAP-Types:
104 default_eap_type = md5
113 NOTE: You cannot have empty eap stanza. At least one EAP-Type sub-stanza
114 should be defined as above, otherwise the server will not know what type
115 of eap authentication mechanism to be used and the server will exit
118 All the various options and their associated default values for each
119 EAP-Type are documented in the sample radiusd.conf that is provided
120 with the distribution.
122 Since the EAP requests may not contain a requested EAP type, the
123 'default_eap_type' configuration options is used by the EAP module
124 to determine which EAP type to choose for authentication.
126 NOTE: EAP cannot authorize a user. It can only authenticate.
127 Other Freeradius modules authorize the user and lets EAP to authenticate.
129 NOTE: There can only be one instance of the EAP module.
133 To configure EAP-SIM authentication, the following attributes must be
134 set in the server. This can be done in the users file, but in many cases
135 will be taken from a database server, via one of the SQL interface.
137 If one has SIM cards that one controls (i.e. whose share secret you know),
138 one should be able to write a module to generate these attributes
139 (the triplets) in the server.
141 If one has access to the SS7 based settlement network, then a module to
142 fetch appropriate triplets could be written. This module would act as
143 an authorization only module.
146 EAP-Sim-Rand1 16 bytes
147 EAP-Sim-SRES1 4 bytes
149 EAP-Sim-Rand2 16 bytes
150 EAP-Sim-SRES2 4 bytes
152 EAP-Sim-Rand3 16 bytes
153 EAP-Sim-SRES3 4 bytes
156 EAP-SIM will send WEP attributes to the resquestor.
160 1. XSupplicant - freeradius (EAP/TLS) notes may be found at:
162 http://www.eax.com/802/
163 or http://www.missl.cs.umd.edu/wireless/eaptls/
165 XSupplicant is hosted by:
167 http://www.open1x.org/
169 2. XP - freeradius (EAP/TLS) notes may be found at:
171 http://www.denobula.com/EAPTLS.pdf
173 3. Freeradius has an "radeapclient" that can do EAP-MD5 (passwords),
174 as well as EAP-SIM. It is in modules/rlm_eap/radeapclient.
178 You will find several test cases in src/tests/ for the EAP-SIM code.
181 HOW DO I USE IT (FAQ/Examples)
183 1. How can I enable EAP-MD5 authentication ?
190 default_eap_type = md5
198 # eap sets the authenticate type as EAP
204 # eap authentication takes place.
209 # If you are proxying EAP-LEAP requests
210 # This is required to make LEAP work.
215 2. My Userbase is in LDAP and I want to use EAP-MD5 authentication
222 default_eap_type = md5
230 # ldap gets the Configured password.
231 # eap sets the authenticate type as EAP
237 # eap authentication takes place.
242 3. How can I Proxy EAP messages, with/without User-Name attribute
243 in the Access-Request packets
245 With User-Name attribute in Access-Request packet,
246 EAP-proxying is just same as RADIUS-proxying.
248 If User-Name attribute is not present in Access-Request packet,
249 Freeradius can proxy the request with the following configuration
252 # eap module should be configured as the First module in
253 # the authorize stanza
260 With this configuration, eap_authorize creates User-Name attribute
261 from EAP-Identity response, if it is not present.
262 Once User-Name attribute is created, RADIUS proxying takes care
265 4. How Freeradius can handle EAP-START messages ?
267 In most of the cases this is handled by the Authenticator.
269 Only if it is required then, in radiusd.conf
276 With the above configuration, RADIUS server immediately responds with
277 EAP-Identity request.
279 NOTE: EAP doesnot check for any Identity or maintains any state in case
280 of EAP-START. It blindly responds with EAP-Identity request.
281 Proxying is handled only after EAP-Identity response is received.
283 5. I want to enable multiple EAP-Types, how can I configure ?
290 default_eap_type = tls
301 The above configuration will let the server load all the EAP-Types,
302 but the server can have only one default EAP-Type, as above.
304 Once EAP-Identity response is received by the server, based on the
305 default_eap_type, the server will send a new request (MD5-Challenge
306 request incase of md5, TLS-START request incase of tls) to the supplicant.
307 If the supplicant is rfc2284 compliant and doesnot support the
308 EAP-Type sent by the server then it sends EAP-Acknowledge with the
309 supported EAP-Type. If this EAP-Type is supported by the server then it
310 will send the respective EAP-request.
312 Example: If the supplicant supports only EAP-MD5 but the server
313 default_eap_type is configured as EAP-TLS, as above, then the server
314 will send TLS-START after EAP-Identity is received. Supplicant will
315 respond with EAP-Acknowledge(EAP-MD5). Server now responds with
320 EAP, EAP-MD5, and Cisco LEAP do not require any additional packages.
321 Freeradius contains all the required packages.
323 For EAP-TLS, OPENSSL, <http://www.openssl.org/>, is required to be installed.
324 Any version from 0.9.7, should fairly work with this module.
326 EAP-SIM should not require any additional packages.
330 It probably still has bugs. Most notably, there is a small memory
331 leak somewhere in the eap_tls code. I suspect it's because of my
332 misuse of OPENSSL libraries, but I have no proof yet.
334 IMPLEMENTATION (For Developers)
336 The rlm_eap module only deals with EAP specific authentication mechanism
337 and the generic interface to interact with all the EAP-Types.
339 Currently, these are the existing interfaces,
340 int attach(CONF_SECTION *conf, void **type_arg);
341 int initiate(void *type_arg, EAP_HANDLER *handler);
342 int authenticate(void *type_arg, EAP_HANDLER *handler);
343 int detach(void **type_arg);
345 attach() and detach() functions allocate and deallocate all the
348 initiate() function begins the conversation when EAP-Identity response
349 is received. Incase of EAP-MD5, initiate() function sends the challenge.
351 authenticate() function uses specific EAP-Type authentication mechanism
352 to authenticate the user. During authentication many EAP-Requests and
353 EAP-Responses takes place for each authentication. Hence authenticate()
354 function may be called many times. EAP_HANDLER contains the complete
355 state information required.
359 as posted to the list, by John Lindsay <jlindsay@internode.com.au>
361 To make it clear for everyone, the supplicant is the software on the
362 client (machine with the wireless card).
364 The EAP process doesn't start until the client has associated with
365 the Access Point using Open authentication. If this process isn't
366 crystal clear you need to go away and gain understanding.
368 Once the association is made the AP blocks all traffic that is not
369 802.1x so although associated the connection only has value for EAP.
370 Any EAP traffic is passed to the radius server and any radius traffic
371 is passed back to the client.
373 So, after the client has associated to the Access Point, the
374 supplicant starts the process for using EAP over LAN by asking the
375 user for their logon and password.
377 Using 802.1x and EAP the supplicant sends the username and a one-way
378 hash of the password to the AP.
380 The AP encapsulates the request and sends it to the RADIUS server.
382 The radius server needs a plaintext password so that it can perform
383 the same one-way hash to determine that the password is correct. If
384 it is, the radius server issues an access challenge which goes back
385 via to the AP to the client. (my study guide says client but my
386 brain says 'supplicant')
388 The client sends the EAP response to the challenge via the AP to the
391 If the response is valid the RADIUS server sends a success message
392 and the session WEP key (EAP over wireless) to the client via the
393 AP. The same session WEP key is also sent to the AP in the success
396 The client and the AP then begin using session WEP keys. The WEP key
397 used for multicasts is then sent from the AP to the client. It is
398 encrypted using the session WEP key.
401 Primary author - Raghu <raghud@mail.com>
403 EAP-SIM - Michael Richardson <mcr@sandelman.ottawa.on.ca>
404 The development of the EAP/SIM support was funded by
405 Internet Foundation Austria (http://www.nic.at/ipa).