Extensible Authentication Protocol (EAP) is an authentication protocol that runs over data link layers without requiring IP. EAP may be used on different type of links, such as dedicated point-to-point (PPP), wireless, and wired links. Cisco uses EAP for several types of environments:

• Wireless LAN Using EAP to authenticate wireless clients to a centralized authentication server, such as RADIUS

• IEEE 802.1x Using EAP for port-based network access control of clients to a centralized authentication server

• Remote access Using EAP to authenticate remote-access users using PPP

EAP has internal support for packet retransmission and duplication but is reliant on lower-layer ordering guarantees.

EAP provides support for various authentication mechanisms, including MD5 challenge, identity, OTPs, and generic token cards. EAP also supports the use of a back-end authentication server (for example, RADIUS, Microsoft Active Directory, and so on) that the authenticator (for example, Cisco router or switch) uses to pass through the authentication exchange from the client. This capability allows enhanced compatibility between the authenticator and the third-party authentication servers, thus reducing the need for changes to the client or the NAS. Figure 6-5 shows the EAP authentication via back-end server.

0 0

Post a comment