CCIE Study Notes

There are multiple EAP methods outlined in the blueprint. This is way too obvious that there will probably be something on the test that makes you distinguish between them or compare them in some way. With only 14% of the exam on section 2.0 and 28 items listed, I can still see the possibility of one or two EAP questions on any exam delivery.

According to RFC 3748, Extensible Authentication Protocol (EAP) is "an authentication framework which supports multiple authentication methods. EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP." Right there you have three pieces of information that may be important. One is that it is a framework rather than a thing itself. It specifies multiple authentication methods. And it operates at Layer 2 of the OSI model. "EAP was designed for use in network access authentication, where IP layer connectivity may not be available."

The EAP exchange (here's another series of steps):

1. The authenticator sends a Request to authenticate the peer.
2. The peer sends a Response packet in reply to a valid Request.
3. The authenticator sends an additional Request packet, and the peer replies with a Response.
4. The Request | Response conversation continues until the authenticator cannot authenticate the peer [EAP Failure - Code 4], or it determines that successful authentication has occurred [EAP Success - Code 3].

Note that these are lock-step Request-Response conversations. And for mutual authentication, an "independent and simultaneous authentication may take place in the reverse direction." "EAP was developed for use with PPP and was later adapted for use in wired IEEE 802 networks in 802.1X. Subsequently, EAP has been proposed for use on wireless LAN networks and over the Internet."

That's probably all you need to know about EAP itself. Most of the study materials focus on the types of EAP methods. Remember that with EAP (tunneled versions), you have an outer and inner method. The outer method sets up the EAP tunnel and the inner method (which may be weaker) is used to send credentials through the tunnel.

EAP-MD5 is the weakest and most useless of the bunch. MD5 is vulnerable to dictionary attacks.

EAP-TLS is "the original, standard wireless LAN EAP authentication protocol." It is also "an IETF open standard that uses the Transport Layer Security (TLS) protocol." [Note that TLS is considered secure, however _implementations of it_ may be less secure.] "The majority of implementations of EAP-TLS require client-side X.509 certificates without giving the option to disable the requirement, even though the standard does not mandate their use." RFC5216 covers EAP-TLS in detail. "Since TLS supports ciphersuite negotiation, peers completing the TLS negotiation will also have selected a ciphersuite, which includes encryption and hashing methods." This will be important when you go to configure EAP-TLS in later sections.

"EAP Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends TLS." It is proprietary (developed by Funk Software and Certicom). It consists of a handshake phase and a data phase. The protocol requires Server certificate authentication with Client authentication optional. You can read more about EAP-TTLS in RFC 5281. [You may want to be familiar with the Encapsulated AVPs (attribute-value pairs) transmitted within the TLS Record Layer. I don't think the questions will go that deep, but anything is fair game on this exam.]

EAP-FAST stands for Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling. It was created by Cisco and is standards-compliant (but proprietary). It was "developed to support customers that cannot enforce a strong password policy and want to deploy an 802.1X EAP type that does not require digital certificates." You would think there would be a lot on the Cisco documentation for this, but rather than documenting that technology, it documents the _implementation_ of that technology. The best I found on the site was Cisco Secure Services Client with EAP-FAST Authentication. You will see a lot more about provisioning the PAC files in later sections. It can be used for SSO (Single Sign-On) with Windows username/password. More on EAP-FAST can be found as an Internet Draft.

PEAP (Protected EAP) was jointly developed by Cisco Systems, Microsoft, and RSA Security. Since this was created by multiple vendors, it may or may not be considered "proprietary" in any question. It creates a (protected) tunnel between the PEAP clients and an authentication server. Although it can do mutual authentication, only server side certificates are required. There are two certified PEAP subtypes available:
PEAPv0/EAP-MSCHAPv2
PEAPv1/EAP-GTC

LEAP (Lightweight EAP) is a Cisco proprietary authentication type developed (long ago) because at the time there was no industry standard. It was created as a part of getting 802.1X and dynamic WEP adopted by customers. Cisco has been pushing 802.1X for a very long time and there has been a lot of resistance in the industry to implement and deploy it. [More on that later.] LEAP was created to get this going. It's really not used much now and is included probably for historical interest and to be used as a comparison.

Note that there are about 40 different methods of EAP defined. The ones covered here are the most common in study materials and Cisco documents. Out of all the materials, the BEST coverage of EAP and EAP methods can be found in "AAA Identity Management Security." That book really is well written and highly recommended.