2

I am having trouble understanding the point of EAP.

EAP is an authentication framework, which defines several TLS based methods and encapsulations like EAP-TLS, EAP-TTLS and PEAP. These all require the server/authenticator to have a certificate (EAP-TLS require the client/supplicant to have it too).

  • TLS provides authentication with the use of certificates on its own. Then what is the point of EAP?
  • Is EAP better in some way?
  • The most notable usage of EAP is WPA. Is it advantageous to use it on wired connections too compared to plain TLS?
  • When would you rather use one or the other?
Sylvester
  • 65
  • 3

2 Answers2

3

TLS provides authentication with the use of certificates on its own.

TLS actually can do a number of things, but is most commonly used for establishing an encrypted session/tunnel between two end points.

It certainly can be used to provide authentication, but many of the EAP protocols that do make use of TLS only do so to encrypt the traffic between supplicant and server to provide a secure tunnel through which the authentication takes place.

Then what is the point of EAP?

...

Is EAP better in some way?

You said it yourself, "EAP is an authentication framework." EAP defines a framework that provides a standard interface within which entities are free to define their own authentication methods that can provide authentications services in whatever way they see fit within that standard framework.

The two end points (authenticator and supplicant) must be able to understand and make use of the specific method, but any intermediate devices are only required to know how to process EAP traffic. In other words, intermediate devices don't need to know anything about the actual authentication methods in use in any way.

The most notable usage of EAP is WPA. Is it advantageous to use it on wired connections too compared to plain TLS?

That is the most notable usage of EAP of which you are aware. EAP dates back to RFC 2284 published in 1998 and was designed initially for PPP (Point-to-Point Protocol) connections. It had nothing to do with wireless.

This initial EAP framework was compelling enough that in 2001 the IEEE working group for 802.1X decided to use it for the basis of it's authentication (which extended it to EAPOL or "EAP over LAN") for it's purpose.

802.1X, while initially meant for use on Ethernet networks, became the basis for network authentication on just about any medium where network authentication was required, including 802.11 in 2004 (this is also the year the EAP RFC was updated by RFC 3784). EAP is also typically used for authenticating mobile devices to cellular networks (SIM, AKA, AKA', and so on).

For a non-networking use of EAP, for those living in North America (and maybe elsewhere) most "open road tolling" systems that use transponders mounted in vehicles actually use an EAP method to "authenticate" when passing through toll collection points.

I am sure there are plenty of other examples of EAP in use in the world today as well. And most of these uses do not use WPA/WPA2.

I am having trouble understanding the point of EAP.

The point of EAP is that it allows devices to handle EAP traffic as EAP traffic without caring what the EAP authentication method in use might be. Only the authenticator (i.e. authentication server, typically RADIUS) and the authenticating client (i.e. supplicant) need to share an understanding of the EAP method in use.

Say you build a network. Your devices understand that clients that connect have to authenticate and you choose a proprietary solution that requires all devices (client, authentication server, and all intermediate devices) to understand and be able to process this authentication solution.

Now imagine that this authentication solution is flawed, or you get a new type of client that doesn't understand this authentication solution. The resolution now requires an upgrade to all your intermediate devices as well.

Instead, they will use EAP. Your network knows how to deal with EAP traffic (i.e forward to the authentication server). The client and server know how to negotiate the EAP method to use (defined by the operation of the EAP framework). If you need to change EAP methods or add clients that only know a new EAP method, all you need to adjust is the authentication server. All your intermediate devices just handle it as any other EAP traffic.

So, to give you a bit of insight, here is an example list of authentication methods used with EAP over time for various purposes and by different organizations (some of which are now obsolete or vulnerable):

  • PPP
  • PAP
  • CHAP
  • SPAP
  • MD5-Challenge
  • One-Time-Password
  • Generic-Token
  • TLS
  • PEAP
  • TTLS
  • LEAP
  • SIM
  • AKA
  • AKA'
  • MSCHAPv2 (not to be mistaken for PEAP/MSCHAPv2)
  • PAX
  • PSK
  • PWD
  • FAST
  • IKEv2
  • TEAP
  • GTC
  • EKE

This is by no means a complete list and I am not personally familiar with all these methods, but quite a number of these I have seen used with EAP (or other EAP methods, such as TTLS) in different capacities.

Community
  • 1
YLearn
  • 3,967
  • 1
  • 17
  • 34
2

TLS can provide mutual authentication with the use of public-key certificates. However, it is not necessary to use public-key certificates with TLS for authentication. TLS can be used solely to provide encryption (data integrity & privacy) for the data being transferred on the wire, without user authentication mechanisms. Often in TLS scenarios, only the server must be trusted/authenticated by the client, however the client can be anonymous (e.g internet browser).

An authentication layer can be used with TLS, and both can be completely decoupled from one another. In most modern enterprise scenarios, user authentication is handled by SAML 2.0 or Kerberos/SPNego, and both technologies are used on scenarios where TLS is also used. Therefore TLS does not enforce authentication, nor it enforces the strict usage of public-key certificates for it.

The EAP-TLS Authentication Protocol is just another implementation of an authentication protocol that is integrated with TLS. The key here is not that TLS provides the authentication, but rather that TLS provides encryption (data integrity & privacy) for the authentication protocol.

We can conclude that the usage of both will depend on the use case, since EAP is an authentication protocol that typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP, and TLS has a complete different purpose, since the primary goal of the TLS Protocol is to provide privacy and data integrity between two communicating applications.

Community
  • 1
Filipe dos Santos
  • 1,090
  • 4
  • 15
  • Actually, EAP-TLS does make use of TLS and certificates for authentication (in the vast majority of cases). Examples of EAP methods that use TLS only for establishing a TLS encrypted tunnel would be EAP-TTLS or EAP-PEAP (both of which provide a "fake" outer authentication for purposes of establishing the TLS tunnel and then make use of a separate EAP method for the "real" authentication inside the tunnel). – YLearn Jan 09 '20 at 22:27
  • I understand the usage of TLS in EAP. The point is: TLS is not an authentication protocol. Client certificates are used for authentication in TLS, however client certificates are also used with other secure channel protocols for authentication as well, so this is not special for TLS. – Filipe dos Santos Jan 09 '20 at 22:34
  • Your statement is only true with other EAP methods. With EAP-TLS, TLS provides both encrypted communications and authentication (in the vast majority of cases where EAP-TLS is used). – YLearn Jan 09 '20 at 22:42
  • TLS by itself does not provide authentication in any case. Client certificates are used for authentication _within_ TLS, however this is true for any other authentication method (e.g. user and password). EAP-TLS has client certificate authentication and *not* "TLS authentication". – Filipe dos Santos Jan 09 '20 at 22:59
  • I never say TLS by itself does provide authentication. However in the third paragraph of your answer you state that EAP-TLS does not use TLS to provide authentication. With EAP-TLS, it is the validation of the TLS certificate via the TLS identity verification procedures that provides a valid authentication. EAP-TLS makes use of TLS as it's authentication protocol. Feel free to check [RFC 5216](https://tools.ietf.org/html/rfc5216) for EAP-TLS operation if you like. – YLearn Jan 09 '20 at 23:13