Extensible Authentication Protocol

A framework for auto-negotiation of secure authentication methods that use hardware identifiers like fingerprint readers or smart card scanners.

This auto-negotiation happens before full connection in three scenarios:

• when the user is accessing a wireless network and needs to access a network directory server (e.g. LDAP)
• when a device is connecting to a network via a switch and network policies require the device to authenticate before full communications are established
• when a user is connecting over a VPN

EAP is usually configured with a digital certificate to handle secure tunnel creation for credential transmission.

EAP Variants

There are several variants of EAP that fulfill different needs.

Protected EAP (PEAP)

PEAP provides authentication in an SSL/TLS tunnel with a single certificate on the server. It creates a secure communications channel for transmitting certificate or login credentials. It also enables mutual authentication by requiring the server to prove it's identity to the client.

EAP Flexible Authentication via Secure Tunnelling (EAP-FAST)

EAP-FAST uses a Protected Access Credential to authenticate users.