EAP-TLS

EAP-TLS refers to the Extensive Authentication Protocol-transport Layer Security. EAP-TLS is an open standard that provides enhanced network security using certificate-based mutual authentication.

The standard was developed by IETF and came in handy for networks with WPA2 features helping them to become compatible with X.509 digital certificates. Businesses use these digital authentication certificates to enhance single sign-on (SSO) through any network device.

EAP-TLS operates by locking down a network and allowing authenticated users to access applications, data, and other resources.

The Extensible Authentication Protocol (EAP) serves as a protocol for wireless networks. The aim is to expand any authentication methods used by the Point-to-Point Protocol (PPP) of the network.

EAP-TLS works best on encrypted networks and provides a more secure way to send information that translates to network authentication. EAP-TLS is not a difficult protocol to use since its framework does not rely on complex encryption solutions. Its reliance is on the strength of public key cryptography.

EAP methodology has a root in public-key cryptography which is why it can support authentication methods. These include certificates, smart cards, token cards, OTPs, and more. With this, it eliminates the pre-share keys structure before they get the chance to access a network. The use of a certificate-based authentication mechanism means both users and the server need certificates for authentication.

The EAP-TLS process begins with the identification of the certificates. Next, it creates a session-based key for either the client or server to carry out any login process. However, this entails some steps:

1. An access request to a network through an authenticator app or wireless access point (AP).
2. The authenticator app or wireless access point (AP) then requests the user’s identity information.
3. The received credentials get transferred from the AP to the network’s authentication server.
4. The server requests identification verification from the AP.
5. The AP gets the validation and sends it the details back to the authentication server.
6. When the system establishes a connection, the user then connects directly to the network.

Security is a crucial topic in cyberspace. Thus every infrastructure or protocol must provide top-notch security for business networks. EAP-TLS is a very reliable and secure protocol due to its mutual authentication approach. The approach reduces the possibility of cyber-attacks particularly with man-in-the-middle attacks- since users have to first validate their credentials

Moreso, there are about 40 EAP methods to adopt. These include the familiar ones called inner methods such as Leap, Peap, Eap-sim, Eap-fast, Eap-MD5, and Eap-TTLS.

• Lightweight Extensible Authentication Protocol (LEAP): Leap is a Cisco-proprietor EAP. LEAP design provides more secure authentication for 802.11 wireless local area network (WLANs)that supports 802.1X port access control. It operates by sending clients a random challenge who in turn respond by returning a hashed password. Upon authentication, the client requests a password from the server, and a key exchange follows.

• Protected Extensible Authentication Protocol (PEAP): PEAP is a more secure solution for 802.11 WLANS than LEAP. It authenticates clients using server-side certificates. PEAP also creates a TLS running from a server to the client that way, the client gets authenticated through an encrypted tunnel. The purpose of designing PEAP was to correct the deficiencies in Extensible Authentication Protocol (EAP).  EAP focus on protecting the communication channel, therefore, it lacked facilities for the protection of  EAP conversation.

• Eap-Sim: The EAP-SIM protocol provides mutual authentication between an authenticator and a Global System for Mobile Communication (GSM) subscriber. It functions by using a per-session WRP key necessary for encrypting data. A user first identifies with an International Mobile Subscriber Identity (IMSI). This represents a 15-digit string that provides a globally unique identity for the user’s device. These digits are shared between the Mobile Country Code (MCC), Mobile Network Code (MNC), and Mobile Station Identification Number (MSIN).

• Eap-Fast (Flexible Authentication via Secure Tunneling): The Eap-fast protocol was designed to replace LEAP. It operates by using a tunnel to provide a mutual authentication just like EAP-TTLS and PEAP. EAP-FAST uses a protected access credential that creates a one-time exchange with a PAC key or shared secret. EAP-FAST cannot authenticate the server with a digital certificate. It, therefore, needs the PAC keys to handle the authentication.

• EAP-MD5: EAP-MD5 works using a password and a one-way authentication protocol rather than mutual authentication. It offers a base level for its support. The EAP-MD protocol comprises three components which include the applicant, the identity authentication, and the server. However, the only authenticated component is the identity of the applicant. EAP-MD has no way of developing a per-session WEP key. However, its manual maintenance comes with certain challenges.

• Tunneled Transport Layer S (EAP-TTLS): The EAP-TTLS is a specific version of the EAP that provides a framework necessary to support authentication across communication systems. It operates like the EAP-TLS and provides extensive security using certificate-based mutual authentication. In this case, the server alone requires a certificate. With EAP-TTLS, it's easy to reuse a legacy user authentication database.

The EAP identity gets configured for authentication using an identity name and an optional password.

A user first launches the 802.1X client before providing the registered username and password. Next, the 802.1X client then sends an EAPOL-Start packet to the access device.

The access device further responds with an EAP identity or request packet for the client username that the client provides. Furthermore, the access device relays the EAP identity or response packet in a RADIUS Access-Request packet to the authentication server. The authentication server further uses the identity information in the RADIUS Access-Request and searches its user database. When a matching entry gets found,  the server uses a randomly generated challenge (the EAP- MD5-Challenge) to encrypt the password in the entry. Afterwards, the server sends the challenge to the access device.

EAP-TLS delivers several key features, including:

• Mutual Authentication: EAP establish communication from client to server and also from server to client.
• Fragmentation and Reassembly: Most times, the client and server may need to exchange a very long message. EAP-TLS fragments and reassembled the information for better transmission of data.
• Exchange of Keys: Keys get exchanged between the client and the server. The key exchange is a necessity to establish dynamic wired equivalent privacy (WEP) or temporal key integrity protocol (TKIP) keys
• Fast Reconnect: Reconnecting the EAP-TLS when it drops is an easy act.