Email This Page

EAP: PPP Extensible Authentication Protocol

The Extensible Authentication Protocol (EAP) is for PPP authentication. EAP supports multiple authentication mechanisms. EAP does not select a specific authentication mechanism at Link Control Phase, but rather postpones this until the Authentication Phase. This allows the authenticator to request more information before determining the specific authentication mechanism. This also permits the use of a "back-end" server which actually implements the various mechanisms while the PPP authenticator merely passes through the authentication exchange.

  1. After the Link Establishment phase is complete, the authenticator sends one or more Requests to authenticate the peer. The Request has a type field to indicate what is being requested. Examples of Request types include Identity, MD5-challenge, One-Time Passwords, Generic Token Card, etc. The MD5-challenge type corresponds closely to the CHAP authentication protocol. Typically, the authenticator will send an initial Identity Request followed by one or more Requests for authentication information. However, an initial Identity Request is not required, and MAY be bypassed in cases where the identity is presumed (leased lines, dedicated dial-ups, etc.).
  2. The peer sends a Response packet in reply to each Request. As with the Request packet, the Response packet contains a type field which corresponds to the type field of the Request.
  3. The authenticator ends the authentication phase with a Success or Failure packet.

The EAP protocol can support multiple authentication mechanisms without having to pre-negotiate a particular one during LCP Phase. Certain devices (e.g. a NAS) do not necessarily have to understand each request type and may be able to simply act as a pass through agent for a "back-end" server on a host. The device only need look for the success/failure code to terminate the authentication phase.

However, EAP does require the addition of a new authentication type to LCP and thus PPP implementations will need to be modified to use it. It also strays from the previous PPP authentication model of negotiating a specific authentication mechanism during LCP.

Protocol Structure - EAP: PPP Extensible Authentication Protocol

The Authentication-Protocol Configuration Option format to negotiate the EAP Authentication Protocol is shown below:

8

16

32bit

 Variable

Type

Length

Authentication-Protocol

Data

  • Type - 3
  • Length - 4
  • Authentication-Protocol - C227 (Hex) for PPP Extensible Authentication Protocol (EAP)

One PPP EAP packet is encapsulated in the Information field of a PPP Data Link Layer frame where the protocol field indicates type hex C227 (PPP EAP). The EAP packet format is shown below:


8

16

32bit

 Variable

Code

Identifier

Length

Data
  • Code - The Code field identifies the type of EAP packet.
  • EAP Codes are assigned as follows: 1 Request; 2 Response; 3 Success; 4 Failure.
  • Identifier - The Identifier field aids in matching responses with requests.
  • Length - The Length field indicates the length of the EAP packet including the Code, Identifier, Length and Data fields.
  • Data - The format of the Data field is determined by the Code field.

Related Protocols
PPP , CHAP

Sponsor Source

EAP is defined by IETF (http://www.ietf.org ).



Reference

http://www.javvin.com/protocol/rfc2284.pdf : PPP Extensible Authentication Protocol (EAP).