Skip to content

Other EAP methods

Methods not useful in typical enterprise environment

EAP-SIM (RFC 4186)

  • authenticate SIM cards

EAP-PSK (RFC 4764)

Pre-Shared Key:

  • similar to the 4-way handshake

EAP-GPSK (RFC 5433)

Generalized Pre-Shared Key:

  • similar to EAP-PSK, but negotiates cryptographic algorithms

TODO / not important?

EAP-AKA (RFC 4187)

3rd Generation Authentication and Key Agreement

EAP-AKA’ (RFC 5448)

  • new revision of EAP-AKA

EAP-POTP (RFC 4793)

Protected One-Time Password:

  • not known by wpa_supplicant

EAP-TNC

“Trusted Network Connect” - IBM? no RFC/spec found

  • method type 38 collides with previous allocation for “EAP-HTTP Digest”

EAP-PAX (RFC 4746)

Password Authenticated Exchange:

  • shared key + provisioning
  • IANA registry doesn’t list RFC, but RFC shows assignment

EAP-SAKE (RFC 4763)

Shared-secret Authentication and Key Establishment:

  • shared key

EAP-EKE (RFC 6124)

Encrypted Key Exchange:

  • shared key, allowing for weak keys

EAP-IKEv2 (RFC 5106)

  • based on RFC 4306 IKEv2
    • seems to require plaintext passwords on server (or public/private key authentication)?

EAP-LEAP (Cisco proprietary)

  • https://en.wikipedia.org/wiki/Lightweight_Extensible_Authentication_Protocol ?
  • only WEP, not WPA? weak
  • no spec found

EAP methods without key derivation support

These can’t be used directly for wifi, but they could be used in inner layers.

EAP-MD5 (RFC 3748)

  • challenge-response; response hashes over secret - basically requires plaintext password on server side (due to random challenge, and challenge coming before secret in hash data)

EAP-OTP (RFC 3748)

  • another challenge-response system (RFC 2289)
  • designed for “external HSM” to generate OTP (?): challenge and response are both ASCII strings
  • the reponse is an encoding of a 64-bit number
  • “reverse” sequence of hashes; the next password hashes to the previously used password
  • challenge includes the number of iterations wanted (going down); if it reaches zero the account is “dead”.
  • challenge also includes a fixed “seed” (public salt to the password)
  • -> sounds completely ridiculous

EAP-GTC (RFC 3748)

  • “Generic Token Card”; show simple message to user, enter plaintext token
  • token system not specified
  • “should not be used for static passwords”
    • but ok in TLS-protected EAP sessions like TTLS/FAST/TEAP/PEAP
    • probably used in non-TTLS instead of EAP-TTLS/PAP, e.g. EAP-FAST/GTC ?

“EAP Method Type for PT-EAP” (RFC 7171)

  • not known by wpa_supplicant