Wednesday, April 23, 2014

CISSP - EAP Protocols

Questions about EAP are annoying ones, at least for me and not many people really seem to know the difference. Furthermore, even the official CISSP guide from ISC2 does not tell much about them. However you can meet many questions about it in different tests.

I will try to give you the essentials about them so that you also know enough about it and discover more if you wish.

First of all, Extensible Authentication Protocols are created for 802.1x protocol, which aims to provide identity based authentication services. In a secure network environment both client who wants to connect to the corporate network and the network authentication server should properly authenticate each other.
When we speak about mutual authentication, the best way to do is digital certificates and the use of Public Key Infrastructure. Both client and server present their digital certificates to each other for authentication and sometimes use these certificates to build an SSL tunnel to exchange more information.

EAP-TLS (Transport Layer Security) requires both client and the authentication server to use digital certificates for authentication. This method is laborious and expensive as it requires too much effort for the proper management of the certificates mostly on the client side. If the client certificate is not renewed correctly or certificate store is not properly managed, clients may end up having problems connecting the network. Because many network administrators are not quite interested about PKI, troubleshooting is also painful.

EAP-TTLS (Tunneled TLS) eases the problems that EAP-TLS create by eliminating the client side certificates. The server side certificate is used to establish a secure SSL tunnel between client and authentication server and authentication information is shared over this tunnel. This method is of course less secure than EAP-TLS but it is also much easier to configure and maintain.

EAP-PEAP (Protected EAP) works just as the same way EAP-TLS that why it is confusing for me and many others I believe. After the establishment of the secure tunnel using the server certificate, a second method such as EAP-TLS or EAP-MSCHAPv2 (Microsoft’s flavor of EAP) can be used for authentication information.

These are all the methods given in the official guide. There are of course other protocols such as LEAP (Cisco’s first protocol of EAP, now considered insecure and no longer used), EAP-MD5 (Sending authentication information hashed with MD5, much less secure than those mentioned above) and EAP-MSCHAPv2 (just an inner authentication method after the first 3, authenticating using Active Directory credentials), but these are considered not essential it seems. It is good to know just that much about them for general knowledge and the exam.

I know Aaron Woland from Cisco Networkers events, he is one of the guys who designed Cisco’s famous ISE product and periodically speaks about Identity-based networking concepts and AAA in events. You can find a more detailed explanation in his blog following this link : 


  1. These are all the methods given in the official guide.This method is laborious and expensive as it requires too much effort for the proper management of the certificates mostly on the client side.Thank you for this invaluable information.

    disaster recovery plan checklist

  2. EAP-TLS is laborious, I cannot agree more. People go for other solutions easier to maintain such as Cisco's Trustsec and Forescout. There can be cases however where you are required to use EAP-TLS to be compliant, PCI-DSS can be an example.