Why Should I Use EAP?

What Is EAP?

The Extensible Authentication Protocol (EAP) provides a standard framework for authenticating users and devices to a network. By implementing EAP, organizations can limit the number of users and avoid malicious traffic.

EAP uses various authentication methods, such as tokens, smart cards, digital certificates, and one-time passwords. Some EAP methods use symmetric cryptography, so only authorized users can access the network.

Main Features of the EAP Framework

EAP is the primary framework for various authentication methods, such as passwords, tokens, RSA tokens, and digital certificates. These methods can be implemented individually or in combination. For example, certain users and devices can use passwords alone, and users and devices with critical security needs can use a combination of passwords, keys, or digital certificates.

Stronger Authentication

EAP lets you use stronger authentication methods, such as EAP-TLS for digital certificates, with asymmetric cryptography and network access control to improve network security.

802.1X Security

EAP can secure 802.1X RADIUS authentication and let remote users connect safely to a network via Wi-Fi and VPNs.

Supports Various Network Environments

EAP uses the Point-To-Point Protocol (PPP), which makes it versatile for various network environments, such as LANs, WLANs, Wi-Fi, and cellular networks. It can be adapted to meet the specific needs of any diverse network environment.

EAP Authentication Methods

EAP supports many authentication methods, including:

• EAP-TTLS-PAP
• EAP-FAST
• LEAP
• PEAP-MSCHAPv2
• EAP-SIM
• EAP-MD5
• EAP-TLS

These are three of the most commonly used methods.

EAP-TLS

Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) allows you to use digital certificates for authentication in a WPA2-Enterprise environment. EAP-TLS uses safer digital certificates instead of passwords. You don’t have to enter your credentials every time you connect to the network and they cannot be stolen over the air or duplicated easily like passwords.

EAP-TLS uses mutual server certificate authentication, in which digital certificates are distributed to the client and server. The user and the server use certificates to verify each other’s identities before authentication. Digital certificates use asymmetric encryption, in which the public keys are encrypted and can be decrypted only through the private key.

EAP-TTLS/ PAP

Extensible Authentication Protocol Tunneled Transport Layer Security (EAP-TTLS) creates a secure tunnel between the client and the server, where credentials are exchanged safely, protecting sensitive data. However, it does not encrypt the credentials. Instead, it uses the Password Authentication Protocol (PAP) to passwords for authentication.

Once a tunnel is established, PAP transmits the user password for validation. EAP-TTLS/PAP is used for password-based systems like Active Directory (AD) and does not support digital certificates for passwordless authentication.

PEAP-MSCHAPv2

In PEAP-MSCHAPv2, the Protected Extensible Authentication Protocol-Transfer Layer Security (PEAP-TLS) integrates with Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2) to perform a two-way handshake with the RADIUS server before authentication. PEAP-MSCHAPv2 authenticates the user and server by using server security validation to ensure the user connects to the appropriate server.

However, PEAP-MSCHAPv2 has its limitations. The protocol is known to have errors with Windows Credential Guard, a native Windows credential management system that prompts users to enter their credentials whenever they want to access the network. This could make the network vulnerable to evil twin attacks and makes credentials more susceptible to theft and misuse.

Why Should We Use EAP For Modern Networks?

As an organizational network grows, so do the chances of attacks. To ensure safe and secure network access, an extensible EAP method that allows passwords, digital certificates, MFA, RFA tokens, and other methods to authenticate users and devices is necessary. EAP methods are vendor-neutral and work with almost all identity providers, devices, and access points.

EAP-TTLS/PAP and the PEAP-MSCHAPv2 primarily use passwords, which leave your network vulnerable to man-in-the-middle (MITM) and brute-force attacks and diminish user experience. With passwordless authentication in an EAP-TLS setup, end-users and devices can safely eliminate passwords through digital certificates distributed through a Public Key Infrastructure (PKI).

A PKI issues certificates, stores encrypted keys, verifies identities, and secures online communication on a network. However, an on-premise PKI does not support remote employees and requires duplicate servers for each location. This makes it expensive and requires constant updates and maintenance.

Further, configuring a PKI alone can lead to misconfiguration, leaving your network vulnerable. To address that issue, organizations can choose a managed gateway API, which allows them to access the security of a PKI without the hassle of building it themselves.

Implement EAP-TLS With SecureW2 For Improved Security

The Managed Gateway API from SecureW2 automates the certificate lifecycle and supports automatic revocation through advanced integrations with JAMF and Intune. SecureW2 solutions also integrate with your security vendors to ensure certificates are only issued to compliant, low-risk devices. Our API integrates with existing IDPs for dynamic, up-to-date certificate verification without needing an infrastructure overhaul.

JoinNow Cloud RADIUS is designed for certificate-based authentication with EAP-TLS on a WPA2-Enterprise network. It communicates directly with major IDPs and MDMs during authentication and provides network access for secure authentication.

Schedule a demo today to learn more about deploying secure passwordless network security solutions for your organization.