Lines Matching refs:EAP
3 Extensible Authentication Protocol (EAP)
8 Extensible Authentication Protocol(EAP), rfc2284, is a general protocol
10 methods. Each EAP-Type indicates a specific authentication mechanism.
14 RADIUS attribute used for EAP is EAP-Message, 79(rfc2869). RADIUS
15 communicates all EAP messages by embedding them in this attribute.
18 Supplicant/EAP Client - is the software on the end-user/client machine
22 EAPOL - EAP over LAN as defined in 802.1x standard.
23 EAPOW - EAP over Wireless.
28 | EAP |<------>| Access |<------>| RADIUS |
29 | Client | EAPOW | Point | (EAP) | Server |
34 The sequence of events, for EAP-MD5, runs as follows:
36 2. The supplicant specifies AP to use EAP by sending EAP-Start.
37 3. AP requests the supplicant to Identify itself (EAP-Identity).
39 5. AP forwards this EAP-response AS-IS to the RADIUS server.
47 authenticates the client if the two values match(EAP-Success/EAP-Failure)
50 Currently, EAP is widely used in wireless networks than in wired networks.
52 addition to the above EAP events.
64 The Implementation of EAP over RADIUS is based on the following RFCs
66 rfc2284 -- PPP Extensible Authentication Protocol (EAP)
67 rfc2716 -- PPP EAP TLS Authentication Protocol
69 Following links help to understand HOW EAP works
73 EAP CODE ORGANIZATION
75 EAP is implemented as a module in freeradius
77 All EAP-Types are organized as subdirectories in rlm_eap/types/.
79 Each EAP-Type, like types/rlm_eap_md5, contains a chunk of code that
82 To add a new EAP-Type then a new directory should be created as
83 rlm_eap/types/rlm_eap_XXXX, where XXXX is EAP-Type name
84 ie for EAP-Type like ONE TIME PASSWORD (OTP) it would be rlm_eap_otp
86 src/modules/rlm_eap -- contains the basic EAP and generalized interfaces
87 to all the EAP-Types.
88 rlm_eap/types -- contains all the supported EAP-Types
89 rlm_eap/types/rlm_eap_md5 -- EAP-MD5 authentication.
90 rlm_eap/types/rlm_eap_tls -- EAP-TLS based authentication.
93 rlm_eap/types/rlm_eap_sim -- EAP-SIM (GSM) based authentication
98 to load and control rlm_eap and all the supported EAP-Types:
113 NOTE: You cannot have empty eap stanza. At least one EAP-Type sub-stanza
119 EAP-Type are documented in the sample radiusd.conf that is provided
122 Since the EAP requests may not contain a requested EAP type, the
123 'default_eap_type' configuration options is used by the EAP module
124 to determine which EAP type to choose for authentication.
126 NOTE: EAP cannot authorize a user. It can only authenticate.
130 EAP SIM server
132 To configure EAP-SIM authentication, the following attributes must be
145 EAP-Sim-Rand1 16 bytes
146 EAP-Sim-SRES1 4 bytes
147 EAP-Sim-KC1 8 bytes
148 EAP-Sim-Rand2 16 bytes
149 EAP-Sim-SRES2 4 bytes
150 EAP-Sim-KC2 8 bytes
151 EAP-Sim-Rand3 16 bytes
152 EAP-Sim-SRES3 4 bytes
153 EAP-Sim-KC3 8 bytes
155 EAP-SIM will send WEP attributes to the resquestor.
157 EAP CLIENTS
159 1. XSupplicant - freeradius (EAP/TLS) notes may be found at:
168 2. XP - freeradius (EAP/TLS) notes may be found at:
172 3. Freeradius has an "radeapclient" that can do EAP-MD5 (passwords),
173 as well as EAP-SIM. It is in modules/rlm_eap/radeapclient.
177 You will find several test cases in src/tests/ for the EAP-SIM code.
182 1. How can I enable EAP-MD5 authentication ?
197 # eap sets the authenticate type as EAP
208 # If you are proxying EAP-LEAP requests
214 2. My Userbase is in LDAP and I want to use EAP-MD5 authentication
230 # eap sets the authenticate type as EAP
245 3. How can I Proxy EAP messages, with/without User-Name attribute
249 EAP-proxying is just same as RADIUS-proxying.
264 from EAP-Identity response, if it is not present.
266 of EAP proxying.
268 4. How Freeradius can handle EAP-START messages ?
280 EAP-Identity request.
282 NOTE: EAP does not check for any Identity or maintains any state in case
283 of EAP-START. It blindly responds with EAP-Identity request.
284 Proxying is handled only after EAP-Identity response is received.
286 5. I want to enable multiple EAP-Types, how can I configure ?
304 The above configuration will let the server load all the EAP-Types,
305 but the server can have only one default EAP-Type, as above.
307 Once EAP-Identity response is received by the server, based on the
311 EAP-Type sent by the server then it sends EAP-Acknowledge with the
312 supported EAP-Type. If this EAP-Type is supported by the server then it
313 will send the respective EAP-request.
315 Example: If the supplicant supports only EAP-MD5 but the server
316 default_eap_type is configured as EAP-TLS, as above, then the server
317 will send TLS-START after EAP-Identity is received. Supplicant will
318 respond with EAP-Acknowledge(EAP-MD5). Server now responds with
323 EAP, EAP-MD5, and Cisco LEAP do not require any additional packages.
326 For EAP-TLS, EAP-TTLS, and PEAP, OPENSSL, <http://www.openssl.org/>,
330 EAP-SIM should not require any additional packages.
335 The rlm_eap module only deals with EAP specific authentication mechanism
336 and the generic interface to interact with all the EAP-Types.
347 initiate() function begins the conversation when EAP-Identity response
348 is received. Incase of EAP-MD5, initiate() function sends the challenge.
350 authenticate() function uses specific EAP-Type authentication mechanism
351 to authenticate the user. During authentication many EAP-Requests and
352 EAP-Responses takes place for each authentication. Hence authenticate()
357 HOW EAP WORKS
363 The EAP process doesn't start until the client has associated with
368 802.1x so although associated the connection only has value for EAP.
369 Any EAP traffic is passed to the radius server and any radius traffic
373 supplicant starts the process for using EAP over LAN by asking the
376 Using 802.1x and EAP the supplicant sends the username and a one-way
387 The client sends the EAP response to the challenge via the AP to the
391 and the session WEP key (EAP over wireless) to the client via the
402 EAP-SIM - Michael Richardson <mcr@sandelman.ottawa.on.ca>
403 The development of the EAP/SIM support was funded by